Can We Compete in Cyberspace?

The best intelligence, the best capabilities in the intangible cyber domain, do not compensate for strategic shortcomings.

This is the central dilemma of Paul Nakasone and Michael Sulmeyer’s excellent article in Foreign Affairs, “How to Compete in Cyberspace.” Competition in cyberspace is a subset of the larger competition between the United States, China, and Russia. If some historian, unaffected by emotion or self-interest, was to review the first decades of this competition in the twenty-first century, he would notice the emergence of a troubling pattern: U.S. opponents have developed tactics to pursue their strategic objectives that the United States and its allies find difficult to counter (and where there is sometimes a lack the political will to respond). This is a new style of interstate conflict for which we still have not developed an effective response.

The lack of an effective response goes beyond the need to develop capabilities and tactics—Cyber Command has done well in this regard. What it points to is the general ineffectiveness of U.S. foreign policy and the strategies derived from it. We have not thought seriously about strategy since 1990, and strategic incoherence began well before Trump. A reasonable case can be made that the Bush administration decision to invade Iraq marked the onset of the unraveling of American global power.

There are common elements in this ineffectiveness. It stems from overconfidence in American power, and also an understandable reluctance to recognize the change in international relations from a period where the United States had unchallenged superiority because of its military and, more importantly, its ideas, to one of challenge and renewed competition. The slowness in recognizing the new competition with China and Russia as more important than a focus on the Middle East was a major strategic blunder from which we have yet to recover.

As a result, the United States is on the defensive. Unlike previous periods in U.S. foreign policy, the few compensating foreign policy successes of the last decade have been largely undone by the current administration. Its decision to confront China is both timely and necessary, but unevenly implemented, and the administration has not taken significant action against Russia.

It is against this backdrop that we must measure the role for Cyber Command and policies of persistent engagement and defend forward. In the cyber context, these concepts are exactly right, but in the larger strategic context, they do not compensate for a coherent foreign policy. This makes Cyber Command a star player on a weak team.

One dilemma for an often militarized U.S. foreign policy is that the new contest is not primarily a military one. We have powerful conventional forces, but our opponents avoid direct confrontation with it and have developed tactics that undermine the United States’ position while minimizing the risk of armed conflict. These tactics involve cyber elements, accompanied by influence operations and regional gambits, but the long-term competition is over political ideas and technological leadership. Military forces are not well suited for this competition, and cyber operations alone cannot win it (although they are an important part of a comprehensive strategy).

Political ideas and technological leadership are now the foundations of global influence. The United States has innate advantages, but the tools we need for this contest are not cyber tools. A strong cyber defense (based on defend forward and persistent engagement) is important for maintaining technological leadership, if only by countering espionage and the theft of intellectual property, but it must be accompanied by measures to strengthen innovation in the United States and its partner nations.

Similarly, in the clash of ideas, we need to rebuild the tools of global influence. One way to gauge our efforts in influence building is to compare Cold War levels of spending on foreign assistance, exchange programs for foreign students, and counter-messaging with the minimal amounts we spend now. We can no longer passively wait for the world to come and admire the City on a Hill. Recreating the tools used in the Cold War ideological battle is important, but new approaches to influence building, such as the State Department’s Global Engagement Center, are needed. Cyber operations play a role in this, but only a part, and only as part of an all-of-government approach that involves State, the Departments of Justice and Homeland Security, and the Central Intelligence Agency. 

There is a certain irony that after years lecturing the Russians and Chinese of the importance of free speech, they have chosen to turn it on the West instead of allowing it to their own people. Russian and Chinese agencies and proxies routinely use Facebook or Twitter for anti-American messaging. No Russian or Chinese social media company would permit the same luxury to Americans. We face unavoidable disadvantages in the near term as our opponents take advantage of free speech. Counter-messaging aimed at foreign audiences (including the Chinese and Russian publics) is necessary, but engaging in this information battle lies outside the authorities and capabilities of Cyber Command or the Department of Defense.

Cyber Command is also hampered by the academic discussion of cyber operations. The current discussion of stability and escalation hampers development of strategy. Stability is the condition where no country has an incentive to change existing relations with other countries by pursuing advantage through force or coercion. China and Russia seek to change the international order to better serve their interests and are willing to use coercion, force, or other means to do so. In this environment, is stability in cyberspace even possible? If international relations are unstable, cyberspace will also be unstable, and designing policies to preserve stability will prove fruitless in the face of Russia and Chinese intentions.

Seeking to avoid escalation to prevent a larger conflict is also an ineffective guide for policy and has too often proved to be an excuse for inaction. The probability of escalation from cyber operations requires a longer discussion, but there are both technological and strategic constraints that limit this risk. The absence of any incident of escalation in the last three decades suggests our adversaries have a high degree of control over their cyber capabilities, accompanied by an understanding of the tacit limits of conflict that allow them to manage and minimize risk—there are things that can be done to harm the United States that do not create unacceptable risk (such as economic espionage and election interference). Our opponents avoid other actions (such as damaging attacks on critical infrastructure) that could risk a larger conflict with the United States.

The United States needs to develop tactics, operational concepts, and strategies that permit it to take more assertive actions in cyberspace while also minimizing the risk of escalation. This cannot be a mirror image of opponent tactics, nor should they be an extension of current cyber operations. To argue that we have taken action (for example, against the Internet Research Agency or the Islamic State) is overly optimistic, since observable trends in opponent cyber actions do not point to any diminution of activity. If there was a message in our actions, they apparently did not get it.

A useful first step for an effective use of persistent engagement and defend forward is to define the desired end state. That the United States has not done this reflects larger strategic shortcomings. What outcome do we seek from our engagement with China and Russia? Is our goal some more intelligent version of regime change (a fraught term, although it is what Russia and China fear most), or do we wish to use force to drive them to the bargaining table? Both opponents are amenable to negotiation, but only if it involves concessions from the United States. Is it to punish Russia and China enough that they will end aggressive behaviors, creating an uneasy equilibrium? Is it to defend democratic values (and most analyses show democratic governance is in decline globally)? Each course has merits, risks, and disadvantages, and need to be considered in some larger national debate on strategic renewal. Cyber action unconnected to foreign policy and strategic goals will produce desultory results and not improve our situation.

The United States needs to rethink its strategic goals for cyberspace in the context of an unstable international environment. Acknowledging that the challenges we face will require innovative approaches is long overdue. Cyber strategy is neither sui generis nor some linear continuation of nuclear strategy. An initial question is to ask what are proportional responses to cyber espionage or election interference—the areas where our opponents are most active—noting that proportionality does not require tit-for tat responses and, more importantly, that a proportional response may be insufficient. The United States can only defend itself in cyberspace if the answer is integrated into a new national strategy that emphasizes advancing interests through action. General Nakasone has remedied our strategic shortcoming for Cyber Command, but he cannot by himself remedy it for the country.

James Andrew Lewis is a senior vice president and director of the Technology Policy Program at the Center for Strategic and International Studies in Washington, D.C.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2020 by the Center for Strategic and International Studies. All rights reserved.

James Andrew Lewis
Senior Vice President; Pritzker Chair; and Director, Strategic Technologies Program