Published daily by the Lowy Institute

Binary error: How and why governments need a cyber security rethink

Deterrence of hostile states in cyberspace misses the point when operations concentrate on only “offence” vs “defence”.

States seeking to improve their security in cyberspace have an incentive to exploit its micro-vulnerabilities (FLY:D/Unsplash)
States seeking to improve their security in cyberspace have an incentive to exploit its micro-vulnerabilities (FLY:D/Unsplash)

Cyber Persistence TheoryBook Review: Cyber Persistence Theory: Redefining National Security in Cyberspace, by Michael P. Fischerkeller, Emily O. Goldman and Richard J. Harknett (Oxford University Press, 2022)

Among former president Donald Trump’s many disruptions of US national security policy was a radical, but often overlooked, acceleration in Washington’s offensive cyber operations. President Barack Obama had overseen the creation of US Cyber Command, but typically cautious, had kept it on a tight leash. Trump, happy to reverse whatever Obama had done, authorised Cyber Command to act with less oversight.

Cyber Persistence Theory makes clear that the new American approach, known somewhat euphemistically as “defend forward”, can’t be understood simply as reflexive hawkishness. President Joe Biden has largely continued the new doctrine. An early example was Cyber Command’s pre-emptive operations against an infamous Russian troll farm ahead of America’s 2018 midterm elections. The absence of crippling cyberattacks on Ukraine alongside Russia’s February 2022 invasion may yet prove to be another.

Efforts at cyber deterrence have failed because cyberspace is an environment of exploitation rather than coercion.

Cyber Persistence Theory provides the most detailed exposition yet of the sophisticated concepts underlying “defend forward” – or “persistent engagement” ­to use its wonkier name. The book is a relatively short read (157 pages of text and 55 pages of footnotes), but it’s not always an easy one. The argument is rigorous and dense.

It’s also strikingly ambitious. The book claims to offer no less than a new paradigm for cyber security. It argues the unique features of networked computing and its digital interfaces have created a security environment completely unlike those of conventional or nuclear security. Concepts borrowed from those realms, such as coercion and deterrence, don’t help understanding the specific logic of cyber security. Cyber space is “macro-resilient (and thus stable) and micro-vulnerable (and thus inherently exploitable)”. It’s resilient partly because the internet was, after all, the product of an effort to eliminate single points of failure in US nuclear command and control. It’s vulnerable because the technology was designed, from the outset, to expedite rather than deny access.

States seeking to improve their security in cyberspace have an incentive to exploit its micro-vulnerabilities and the book records how they are doing so. But this constant competition to shape and reshape cyberspace only rarely involves direct engagement between states. Rather, it is taking place through a series of unilateral faits accomplis. Efforts at cyber deterrence have failed because cyberspace is an environment of exploitation rather than coercion. Attempts to categorise cyber operations as “defensive” or “offensive” are similarly missing the point, as the authors note:  

If I track an active breach of my network and simultaneously protect aspects of that network, but allow access to other sectors of the network to understand … the opponents and then use information gained to enhance a prepositioned set of code and execute my own exploitation of the opponent’s system all in a simultaneous set of manoeuvres that take effect in a matter of minutes, if not seconds, at what point am I playing defence and at what point offence?

In this environment, states that take the initiative and act quickly to shape cyberspace in their favour will be rewarded. A purely defensive strategy won’t work because it cedes the initiative to other actors. Although states could, theoretically, simply disconnect from cyberspace, this would also preclude them from enjoying its many benefits and weaken overall security.  

The authors are perhaps too sanguine about the risks of escalation and the corrosive effect of persistent competition. They argue that the absence, so far, of a cyberattack that has the effect of an armed attack is not just luck: the structure of cyberspace encourages competition below the threshold of armed conflict. But if the book is right to argue that “competition below the level of armed conflict is just as consequential strategically as war and territorial aggression” then perhaps we should be more worried about constant competition between keyboard warriors in the United States, China, the United Kingdom, Russia, Israel, Iran and North Korea.

At the very least, the drafters of Australia’s new Cyber Security Strategy need to consider if and how to adopt cyber persistence theory.

The book devotes attention to the development of stronger norms but argues that these are more likely to emerge from the tacit bargaining that accompanies actual state behaviour in cyberspace than from formal processes such as the UN open-ended working group (they don’t hold out much hope that this will happen quickly).

Cyber Persistence Theory claims to be equally relevant to all states, but its interpretations of international law and policy prescriptions clearly accord with the preferences of the United States or, more specifically, those of the US Department of Defense. Several pages are devoted to upbraiding the Departments of State and Justice for failing to adopt the new paradigm of persistent engagement.

That is important context but it doesn’t weaken the substance of the arguments. The analysis of – and distinctions between – the conventional, nuclear and cyber strategic environments contained in Chapter 2 is especially sharp. This sort of deeply structural analysis could be developed to better understand other forms of statecraft in a more interconnected and interdependent world, especially geo-economics, which currently seems limited by concepts that are either ill-fitting (“deterrence and coercion”) or vague (“grey zone”).  

At the very least, the drafters of Australia’s new Cyber Security Strategy need to consider if and how to adopt cyber persistence theory. The Australian Signals Directorate’s Redspice program and the creation of a new ASD–AFP taskforce suggests that Australia is engaging persistently alongside its close US ally. But there are also plenty of signs that Australia is clinging to the old paradigm, of cyber deterrence and offensive cyber, framed rhetorically and legally as episodic law enforcement rather than persistent engagement.