I wrote this very long email to a senior member of the Cyberspace Solarium Commission. It was well received and the person agreed with many of my assertions. Sharing is caring.
Power: We always knew that shaping works better over signalling. The report does subtly hint at a crucial departure from how the US accumulated power in cyberspace during the last three to four decades. It rode the wave of information dominance by hinging its strategy on access. By controlling the economic, technical or innovative or geographic aspects of the flows, it allowed the US to disproportionately and strategically exploit the much vaunted access. The cost-benefits of access-based operations far outweigh the uncertainty and complexity of any expeditionary initiative. Expeditionary operations by design lack strategic clarity which someone like POTUS may need and hence, their ambiguity may even breed more self-perpetuating strategic uncertainty. I think, during all the cyber crises which the US responded to in the last decade (Operation Aurora, Sony Pictures, 2016 interference and SolarWinds), the underlying strategic uncertainty has only increased. In cyber, institutional memory is institutional capability. And in that sense, the US cyber offence function could also be inheriting the cultural biases around passive access – it could be seen as an anti-pattern in its strategy. It’s evident that its tactical, surgical operations (like those of TAO) were heavily pivoted around strategic passive access as the enabler (e.g. Quantum). There was an underlying assumption that compromising each network would exponentially increase the “compromise boundary.” Are such assumptions going to remain true in the next 10 to 20 years? Does the US cyber strategy of generating effects subconsciously imply that such assumptions are going to remain true, or, at least, is inheriting the old cultural biases? Gradually, access-enabled accumulation of power has become competitive. But aren’t we envisioning the splintering of access or balkanisation in the wrong way? The hierarchical, Leninist controls that are emerging won’t fully manifest themselves over the network interfaces but more so at the analytic layer which Russian control theorists like Druzhinin and Kontorov had long envisaged. How would that change the nature of subversion, sabotage, coercion and compellence – in general, the nature of cyber operations?
Competition: Beyond the fading-boundaries-of-war-and-peace kind of discourse which is in fashion now, isn’t cyber competition, as the Russian or Chinese strategists foresaw, systems warfare or system-on-system warfare? Even American strategists like Dennis M. Murphy emphasise that the US military strategy in the information environment is somewhat obsessed with capabilities. However, on the other hand, there is always the foregone conclusion that cyber effects would squarely fall under the extremely militaristic D5 spectrum. Are these assumptions a product of the ‘physics’ of the domain, or rather a baggage of a normative framework which would never adapt to the change? Is the US Cyber Command — doctrinally, legally and strategically – in a position to fight system-on-system warfare? Is this the hangover of a sub-unified command?
Power Projection: It would not be incorrect to assert many of the cyber capabilities and effects may actually be manifesting themselves more in the cognitive than the quasi-kinetic dimensions. From the attack on Sony Pictures Entertainment which triggered the calls for a “proportional response;” the manipulation of the software supply chain of the Ukrainian accounting firm M.E. Doc; even the sophisticated disruption of the Ukrainian power grid; to the hack-and-leak operations of the CIA and the USCYBERCOM – the cost-benefits seem to be heavily tilted towards the cognitive side. As the principal adversary hunter of Dragos, Inc., Joe Slowik comments: “Stuxnet…continues to be misunderstood by many as a straightforward destruction event, and possible electric sector attack scenarios [affecting Ukraine] blending information operations with cyber disruption.” I am writing a whole paper on the cognitive traits and weaknesses of cyber operations. Not only do the cognitive parameters challenge the operational imperatives but also question the well-known generalisations around critical infrastructure, the redlines of competition and deterrence. All this leads to the discussion around cyber grand strategy. Isn’t the Joint Doctrine Note 1-19, Competition Continuum, questioning the nature of deterrence sought by Defend Forward? As a result of your actions, has the adversary even engaged in wilful or inadvertent competition? If not, then is the strategy working in its current form? What if the adversary resorts to disengaged automation instead of direct competition? How would Defend Forward’s expeditionary strategy adapt if the adversary resorts to blended operations instantiated by HUMINT, and a heterogenous, autonomous and cooperative sensor network rather than a centralised, infrastructure-driven command-and-control? How would the “Forward” of Defend Forward look like then? And wouldn’t “Defend” change to “Attack”? This has two possible side-effects. First, you may never ever reach the thresholds of attrition which would make things intolerable, costly or untenable for the adversary. The adversary and you may remain on wholly different cognitive planes. This most likely happened in the case of Russia. Second, you could possibly trail behind the threat landscape. How do we account for reasonable attrition as a strategy?
Customary Laws & Cyber Norms: While the ambitions of Solarium are lofty and its intent clearly articulated, the incremental approach adopted by it inherits the extant structural, taxonomic and technical contradictions that have marred national cyber policy and the international rules-based order. It carries many of the philosophical faultlines and paradoxes which have widened the gulf between the empirical realities of the cyber domain and the strategic generalisations of policymaking. As per Selmer Bringsjord, any effort to derive a normative framework for cyberspace must burrow deep into its structures of power which have no precedents in our shared physical realities. Major contradictions and policy gaps have arisen from the teleologic nature of laws governing cyberspace, driven by reasoning by analogy. And resultingly, customary law governing conventional conflict, too, hangs in a balance. The parameters governing confrontation and competition in cyberspace may largely be cognitive or perceptive – they challenge all the known precepts of deterrence, thresholds of war and cyber resilience. However, this international policy paralysis hasn’t stymied norm-creation. It’s just that its fulcrum has shifted from the status quo imposed by neoliberal institutionalism to political regimes based on information security. One could cite quite a few precedents where the North Koreans, Russians and Chinese have deftly imposed new behaviour which is now calcifying as customary law (self-censorship, app bans and trade wars of the West; the recalibration of cyber operations to imbibe more cognitive qualities when it comes to effects/hack-and-leak, etc.). If this continues, the West may lose out on an opportunity to shape normative behaviour as such customary laws may become irreversible. We need to start assessing the radical constructs of a renewed international relations taxonomy required to pave the way for applicable, empirical and relatable normative frameworks. And non-state/Track 1.5 actors may lead such efforts, as in the case of SolarWinds with Microsoft. Are the extant normative frameworks seeking just peace or just war? Cyber norms somehow assume that they need to be equitable for defenders. Norms are meant for waging a just war, not just peace. As long as they remain unequitable for offensive teams, the violability of norms would be seen progressively in bareknucles statecraft. Imposing upon cyber actors to avert or ignore a “barred” attack surface – the so called “black letter laws” — is an idea which is extremely flawed, if not tragicomic. It betrays ignorance of the policy community in understanding even the basic constraints of cyber operations like cost-benefits, concept of operations, geopolitical imperatives, and doctrinal lineages, etc. What would happen if you impose the same set of blanket restrictions on resource-stricken North Korean operators coding their offensive toolchains in the Microsoft Foundation Class library and the NSA which has had a 100-year hegemony on encryption? You will have massively funded A-teams enjoying compliance with black-letter rules – but not necessarily with international law – while D-teams resort to violation and impunity. Borderline rogue actors may get castigated and left out from the norm-setting process, only encouraging attrition. As is happening now, it will calcify the wrong kind of customary law
Why Combatant Commanders Won’t Understand Information Operations: In what may be deemed as one of the biggest betrayals, Solarium has completely shied away from articulating a need to overhaul the information operations doctrine. There can be no pivot to a cyber strategy without an information strategy. No Layered Deterrence is going to work without that. At the behest of the Pentagon, influenced by the “kinetic” mentality of the generals (as is pointed out by Herbert Lin), the cyber operations doctrine was carved out of the JP 3-13. Reading between the lines, it’s clear that JP 3-12 secretly wished to retrofit cyber operations to D5, while paradoxically declaring that cyber operations form a part of the larger information environment. The whole idea was very schizoid. Now, amusingly, everything is coming full circle. The US Army has the lofty ambition of renaming the Army Cyber Command to Information Warfare Command to signify a renewed impetus. At the same time, the Congressional Research Service points out that no official definition of “information warfare” exists within the Pentagon. Not to be left behind, the Navy Warfare Publication 3-12 Information Operations was revised in recent years as the Navy Information Dominance Forces were reconstituted as Naval Information Forces. Last but not the least, the Marine Corps Warfighting Publication 3-32 Marine Air-Ground Task Force Information Operations was last updated in 2015. However, the newly installed position of Deputy Commandant of Information postulated another blueprint for the Marine Expeditionary Force Information Groups. Combatant commanders won’t ever get information operations because they are not meant to. Dennis M. Murphy wrote a whole book on a similar topic, Talking the Talk: Why Warfighters Don’t Understand Information Operations. A Marine Corps University paper rightly pointed out that information operations are heavily associated with the military and warfighting. On the other hand, not even Solarium cared to touch upon the stasis that gripped the information operations doctrine over the last two decades. How can the US fight systems warfare without even touching upon information operations doctrine? It needs revisiting as to how does the Smith-Mundt Law may apply to the changing realities of cyberspace, the role of the State Department, and revisiting the role of the US Information Agency where we left it off. Moreover, the Western lobby may also need to push the resolution of international law around information operations from the logjam of US vs. Nicaragua.