Between Hacks and Hostilities: Are the US government and private sector ready for persistent engagement?
Image from Shutterstock.
Cybersecurity is necessarily an issue that crosses international boundaries, raising complex questions of sovereignty, jurisdiction, law and policy. In response, lawyers have struggled to find the right legal metaphor or framework to apply to cyberspace. Each of these issues concerns the American Bar Association Rule of Law Initiative because the way we as a society choose to address these challenges implicates what it means to live and operate under the rule of law.
The United States government produces almost as many reports and strategies as the ABA. One recent document warrants the attention of the bar, and not just security practitioners. The Department of Defense Cyber Strategy released in September—or more precisely, the unclassified part of the Strategy available to the public—breaks new and important ground, potentially marking a significant shift in the federal government’s strategic posture. How important the Strategy is will depend in large part on whether it is tied to an effective policy and decision-making process.
If I were briefing a senior policymaker on the substance and import of this new Strategy, I would highlight the following key statement:
“We are engaged in a long-term strategic competition with China and Russia. … The United States seeks to use all instruments of national power to deter adversaries from conducting malicious cyberspace activity that would threaten U.S. national interests, our allies, or our partners. … [The United States will] persistently contest malicious cyber activity in day-to-day competition.”
What is remarkable here is not the content of the statement, but the willingness to say it publicly. What would be even more remarkable would be if the U.S. government did in fact use all the instruments of national power to enforce cyber norms, as it once used all the instruments of national power to contain the Soviet Union. Gen. Paul Nakasone, in his capacity as the commander of U.S. Cyber Command, has advocated this approach encapsulated in the concept of “persistent engagement.” Two other statements warrant reference:
“We will defend forward to disrupt or halt malicious cyber activity at its source.”
“We must assertively defend our interests in cyberspace below the level of armed conflict.”
But private actors need to also pay attention to the Strategy. If I were briefing a managing partner or a corporate executive—something that used not to be part of the core governmental mission but should be now—I would make six points:
- The playing field may have just changed. Persistent engagement below the level of armed conflict means cyberspace is going to get more complicated rather than less. Just how complicated will depend, in part, on whether the U.S. government practices what it preaches, or if it just preaches. It will also depend on whether adversaries are inspired or deterred by U.S. practice.
- “Below the level of armed conflict” consists of everything between hacks and hostilities. Therefore, to shape policy effectively, the U.S. government needs to know, in real time, what is happening in the private sector and where in the private sector that activity is happening. Without such knowledge, the government will not be able to formulate an effective practice of deterrence. That is one reason the Strategy directs DOD to “build private sector partnerships.” And it is one reason the secretary of defense is given express authority in Section 1642(b) of the National Defense Authorization Act for Fiscal Year 2019 to engage in voluntary private sector cooperation, including information sharing.
- Private actors should not complain about what the federal government is or is not doing; they should help shape policy outcomes and cite the Strategy as the basis for doing so. The federal government has ample legal authority from the NDAA to act in response to cyberattacks on U.S. interests. Whether it does so is a matter of policy choice, not law.
- The private sector, no less than the government, needs to be prepared to act at machine speed. That means in a proactive, rather than reactive, manner. And that means identifying industry redlines in advance and making sure the government is aware of those redlines and how best to defend them.
- Machine speed and persistent engagement below the level of armed conflict increase the importance of good process and lawyering. I would follow the “Curley Rule,” derived from four-time Boston Mayor John Michael Curley’s campaign slogan: “Vote Early and Often for Curley.” Of course, Curley served his last term from jail, so the principle is slightly different. I am suggesting that industry executives consult their lawyers early and often.
- Finally, if you think this is bad, wait until artificial intelligence, and perhaps quantum computing, take hold of cyberspace. Cybersecurity is not a business cost—it is a business necessity. It underpins consumer confidence. It is a fundamental aspect of corporate social responsibility. AI will compound these truths because data is the lifeblood of machine learning. The value of data will increase with AI, which means so, too, will the cyberattacks.
The Cyber Strategy treats cybersecurity as the national security priority it is and offers a blueprint for moving forward. Private practitioners should take note. “Below the level of armed conflict” is where the action is. Proactively engaging threats in this space removes the free pass for adversaries seeking to advance strategic ends while avoiding the “armed attack” threshold. The military has always defended forward while remaining below the level of armed conflict: Consider the Navy protecting reflagged Persian Gulf tankers in 1987, the Air Force flying NFZs over Iraq or the Balkans, and the Army today in the Baltic states.
Now is the time to get the process right; to implement the Strategy by creating and empowering a policy and decision-making process commensurate with the mission; to move from Daniel Webster imminence to Alan Turing instantaneous. A process that passes this Turing test would be one that effectively builds private-public partnerships, operates day-to-day, is persistent and moves at machine speed when needed and it is wise to do so.
That is as true for the private sector as it is for government. If we do not get the process right—timely, contextual and meaningful—it will not matter how good a strategy we have for addressing the wide and growing space between hacks and hostilities.
James E. Baker is a professor at Syracuse University and director of the Institute for National Security and Counterterrorism in Syracuse, New York. He previously served as an associate judge and chief judge of the U.S. Court of Appeals for the Armed Forces and legal adviser to the National Security Council. He is a member of the Rule of Law Initiative.
ABA Abroad is a column highlighting the work of the ABA’s Center for Global Programs, which comprises the Rule of Law Initiative, Center for Human Rights and the ABA’s presence at the United Nations.