Re-Categorizing Cyber Conflict

At the end of May, the Senate confirmed Army Gen. Keith Alexander as commander of U.S. Cyber Command. The command’s creation had already been controversial, and as a result, the Senate Armed Services Committee delayed Alexander’s confirmation due to questions over roles and missions, authorities and restrictions. After his confirmation, Alexander specified that the new command is responsible for directing the day-to-day operations and defense of Department of Defense information networks, as well as for the “planning, integration, and synchronization of cyber activities, and when directed . . . for conducting full-spectrum military cyberspace operation[s]” to ensure freedom of action in cyberspace for the U.S. and its allies.

Consider that rather remarkable state of affairs: The command’s daily writ does not extend to protecting the United States itself from cyber attack.

Since cyberspace’s creation, the U.S. government has struggled with protecting it, an increasingly urgent problem given the country’s growing dependence on the Internet. The challenge comes from the fact that cyberspace is largely created, owned, and operated by private entities, particularly in the United States. Consequently, the first responders to any cyber attack will likely be private-sector entities. The United States government simply lacks insight and oversight over private networks. As a result, three consecutive administrations have worked to build and strengthen public-private partnerships and cooperation to secure the U.S. information infrastructure, leaving the United States in the unsatisfactory position of relying on private parties pursuing private self-interests to secure the entire country’s cyber infrastructure.

Part of the problem lies with the fact that policymakers are still unsure how to treat cyber attacks. Are they acts of war? Crimes? Intelligence operations? Once authorities categorize an attack, they can use existing intellectual and policymaking frameworks to deal with it. But the difficulty of answering these questions consumed much of Alexander’s confirmation hearing and subsequent exchanges with the Senate Armed Services Committee. No one questioned the general’s credentials or suitability: The focus remained on the command’s roles, responsibilities, and relationship to the intelligence community, the Department of Homeland Security, and the private sector.

Those issues have been the focus of policymaking since the rise of the information economy. The understandable controversy — and uncertainty — surrounding Cyber Command’s creation and Alexander’s appointment are the result of the failure to answer those questions satisfactorily over the last two decades. Policy development is stalled while the country tries to sort out the answers.

In truth, conflict in cyberspace, in and of itself, does not fall neatly into any of these categories, for a variety of reasons. Attacks may be more consequential than crime or intelligence collection, yet remain less threatening than war. The nature of cyberspace levels out the relative power imbalances that dominate international relations, placing individuals, small groups, large conglomerates, and countries on a similar playing field. Ambiguity also plays a role. Actors in the physical domains — sea, air, land, and space — are identifiable, as are the boundaries that help authorities determine to whom those actors are accountable. Cyberspace actors, however, are created in cyberspace. Their identities do not necessarily coincide with those of their creators. Thus, it is difficult to hold cyberspace actors accountable for their behavior using regimes and means developed for physical domains, in which the actor’s identity is known and coincides with some sovereign authority.

In cyberspace, non-state actors may be able to wield power on par with some state actors. Meanwhile, state actors have an incentive — and the ability — to disguise their behavior as that of a non-state actor, so as to escape accountability in the legal, political, diplomatic, economic, or military spheres. Conversely, all actors may have difficulty convincing others that they are not in fact engaged in behavior that they are falsely accused of. In short, cyber attackers can seek to present their attacks in the way that most complicates a defender’s strategic interpretation of, and response to, an attack. The very process of categorization may well undermine our security by blinding us to this possibility.

Solutions derived from our experience defending physical domains have their uses, but will ultimately be inadequate, even when they are adapted to the characteristics of cyberspace. Instead, policymakers need a new intellectual framework that accepts cyberspace’s unique features. Some analysts have recommended approaches used to solve other society-level problems, such as system safety engineering or a public health model. Both have much to offer the national security community. They may make cyberspace more resistant to attacks as it evolves, and help manage the risks and consequences of successful attacks. That said, they remove the adversary as a conscious actor from the security formula. In general, safety flaws and diseases do not actively seek to defeat the thought processes of those attempting to prevent their spread or contain their damage. Cyber attackers do.

Whereas categorizing attacks will always prove challenging, it might prove more fruitful to assess the role that cyberspace infrastructure plays in enabling them. Unlike other domains, cyberspace is created by people who design, build, own, and operate the servers, transmission lines, interface nodes, data processors, and software that give cyberspace life. Those people exist in a physical domain, under some country’s legal sovereignty.

A framework for national security in cyberspace must take this into account and consider whether, and how, the United States might hold these entities accountable for how their creations are used. Such a concept runs counter to many traditional American views of fair play, which focus on malicious actors and their acts. However, in cyberspace, it will also be necessary to consider the role of enablers, particularly given the inadequacy of other frameworks in dealing with cyber actors. Only by adopting such an all-inclusive vision can the United States determine which policy tools best suit the circumstances of any particular attack and begin to answer questions about roles and missions, authorities and restrictions.

Eric R. Sterner is a fellow at the George C. Marshall Institute. He held senior staff positions on the House Armed Services and Science Committees and served in the Department of Defense and NASA.

This article appeared in World Politics Review at http://www.worldpoliticsreview.com/articles/5988/re-categorizing-cyber-conflict

Partner & Fellow Blogs