RADM (Ret) Mark Montgomery / Erica D. Borghard
Scholars and practitioners in the area of cyber strategy and conflict focus on two key strategic imperatives for the United States: first, to maintain and strengthen the current deterrence of cyberattacks of significant consequence; and second, to reverse the tide of malicious behavior that may not rise to a level of armed attack but nevertheless has cumulative strategic implications as part of adversary campaigns. The Department of Defense (DOD) strategic concept of defend forward and U.S. Cyber Command’s concept of persistent engagement are largely directed toward this latter challenge. While the United States has ostensibly deterred strategic cyberattacks above the threshold of armed conflict, it has failed to create sufficient costs for adversaries below that threshold in a way that would shape adversary behavior in a desired direction. Effectively, this tide of malicious behavior represents a deterrence failure for strategic cyber campaigns below the use-of-force threshold; threat actors have not been dissuaded from these types of campaigns because they have not perceived that the costs or risks of conducting them outweigh the benefits. This breakdown has led to systemic and pervasive efforts by adversaries to leverage U.S. vulnerabilities and its large attack surface in cyberspace to conduct intellectual property theft—including critical national security intellectual property—at scale, use cyberspace in support of information operations that undermine America’s democratic institutions, and hold at risk the critical infrastructure that sustains the U.S. economy, national security, and way of life.
U.S. strategy has simultaneously focused on the longstanding challenge of deterring significant cyberattacks that would cause loss of life, sustained disruption of essential functions and services, or critical economic impacts—those activities that may cross the threshold constituting a use of force or armed attack. Indeed, Congress chartered the U.S. Cyberspace Solarium Commission in the 2019 National Defense Authorization Act to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyberattacks of significant consequences.” There is also a general acknowledgment of the link between U.S. cyber strategy below and above the threshold of armed conflict in cyberspace. Specifically, efforts to defend forward below the level of war—to observe and pursue adversaries as they maneuver in “gray” and “red” space, and to counter adversary operations, capabilities, and infrastructure when authorized—could yield positive cascading effects that support deterrence of strategic cyberattacks.
Less attention, however, has been devoted to the cross-domain nexus between adversary cyber campaigns below the level of war and the implications for conventional or nuclear deterrence and warfighting capabilities. The most critical comparative warfighting advantage the United States enjoys relative to its adversaries is its technological edge in the conventional weapons realm—even as its hold may be weakening. Indeed, this is why adversaries prefer to contest the United States below the level of war, in the gray zone, and largely avoid direct military confrontation where they perceive a significant U.S. advantage. At the same time, adversaries are making substantial investments in technology and innovation to directly erode that edge, while also shielding themselves from it by developing offset, antiaccess/area-denial capabilities. Moreover, adversaries are engaging in cyber espionage to discern where key U.S. military capabilities and systems may be vulnerable and to potentially blind and paralyze the United States with cyber effects in a time of crisis or conflict.
Mark Montgomery is Executive Director of the U.S. Cyberspace Solarium Commission and Senior Director of the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation. Dr. Erica Borghard is a Resident Senior Fellow in the New American Engagement Initiative, Scowcroft Center for Strategy and Security, at the Atlantic Council. Follow Mark on Twitter @MarkCMontgomery. FDD is a Washington, D.C.-based, nonpartisan research institute focusing on national security and foreign policy.