The strategy neglects to explain why the United States and like-minded nations face this challenge. The United States invented the Internet and developed the most prominent internet and technology companies—so why does the United States seem overwhelmed by this ephemeral threat?
Cyberspace is often framed inaccurately as an unlimited, incomprehensible domain that confounds rational analysis for policy creation. Cyberspace complexity is similar to the complexity of an ecosystem, yet ecosystems do not engender the same panic-inducing irrationality.[2] Ecosystems express relative stability, whereas the cyber domain remains unstable. Cyberspace complexity continues to grow, with only 64.6% of the world’s population currently internet-connected and annual digital connectivity growth over three times the population growth, 2.9%, and 0.84%, respectively.[3] Establishing stability in cyberspace is the goal, where economic activity progresses without widespread fear of attack and criminals and nefarious state actors alike are held accountable. Eventually, the cyber domain will reach stability, given the action and reaction behavior between the provocateurs and defenders. In the years before natural stability occurs, fortunes of nations will rise and fall, incentivizing the United States, as the current leader in prosperity, to hasten the approach to stability through creative policies.
Policymakers must understand the nature of the cyber domain to innovate policy that hastens stability. Recognizing that cyberspace is neither boundless nor incomprehensible but more akin to the land domain than the sea, air, and space, the landscape of challenges and how governments tackle find better parallels in the land domain. For example, the diversity of threats in the land domain ranges from trespassing and kidnapping to invasion and war crimes. Cyber threats are equally pervasive and segregating cybercrime from cyber-attack and cyber espionage is a necessary component of the division of responsibility and jurisdiction. The remarkable growth in cybercrime necessitates a local enforcement capability to attribute and aid just resolution of this lower-level cyber-attack.[4] The ability for local enforcement to conduct cyber investigations varies significantly across the United States, leaving gaps in protection.
One critical difference between the land and cyber domains is cyber’s rapid evolution. Most police work involves similar crimes conducted under similar methods under similar motives. Even the motivations for Russia’s second invasion of Ukraine stem from a classic geopolitical power struggle, unchanged for millennia. As noted by a cyber security expert at a leading U.S. technology company, the rapid advances in cyber security create an arms race for adversaries to innovate new methods of attack.[5] Often, the most successful attackers are “Advanced Persistent Teenagers,” those raised in an integrated cyber world. These individuals have considerable time to focus on a target to discern and exploit vulnerabilities. While the land domain lends itself toward a hierarchical framework, the rapid evolution in cyberspace advantages a horizontal structure. A flat structure facilitates swift detection and classification of new threats and disseminates threat telemetry quickly without burdensome reviews. The capacity and capability of U.S. adversaries in cyberspace exceeds the U.S. in the former and rapidly approaches equivalency in the latter as described in the 2023 National Cybersecurity Strategy (NCS):
The People’s Republic of China (PRC) now presents the broadest, most active, and most persistent threat to both government and private sector networks and is the only country with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to do so. Over the last ten years, it has expanded cyber operations beyond intellectual property theft to become our most advanced strategic competitor with the capacity to threaten U.S. interests and dominate emerging technologies critical to global development.[6]
If strategic competition shifts to a great power war, China possesses the manpower advantage in the cyber realm. The United States requires a technical and organizational offset to counter that advantage. Given China’s drastic manpower advantage, the United States needs to invest time, capital, and manpower into building a credible cyber deterrence.
Resilience to Attack
To enhance overall resilience to cyber attacks, the United States should improve cyber system design for security, create a cyber reserve organization to integrate cybersecurity expertise within public and private enterprises, and discourage the formation of “splinter-nets” by allies and partners by listening to legitimate concerns and collaborating for just solutions.
As identified in the United States 2023 National Cybersecurity Strategy, creating inherently secure cyber infrastructure is a national priority.[7] The openness of nascent Internet and software infrastructure benefited from transparency to foster rapid innovation and improvement. However, the volume of wealth traversing cyberspace today requires a security baseline rather than a transparency baseline. Models for inherently secure networks exist, such as the online governance system of Estonia.[8] “E-Estonia,” in establishing zero-trust cyber architecture, instituted a high barrier to data exchange and collection, which prevents many U.S. companies, like Alphabet and Meta, from executing their business strategies. The United States, working with European regulatory partners, should create a zero-trust exchange infrastructure that validates permissions to access data and balances data access for privacy and private industry.
A critical step in zero-trust infrastructure is validating user authenticity. The e-Estonia system utilizes digital keys embedded in their national ID system to allow access to all government sites and many commercial enterprises. Adding a physical key is already commonplace in the U.S. government, where access to the Secret Internet Protocol Routing Network (SIPRNET) used by the Department of Defense and State Department is controlled with a user-issued token, the same size and shape as an ID card. Google’s Titan security key offers another possible physical key solution.[9] While the United States’ cultural history likely precludes adopting a national identification card, the federal government could create a template from which states could adapt. Standardizing the method of physical key implementation will improve understanding and trust in the security tool, as users could maintain the same key for life and start in childhood. Estonia’s financial industry served as an early adopter of digital key log-in. The advantages of reduced fraud saved such significant revenue that the industry incentivized expanded use of key log-in. Once the benefits of zero-trust infrastructure and improved data protection hit the population (like filing taxes in under three minutes!), cultural apprehension will likely dissipate.
Moving beyond the improved system design, creating a cyber reserve force in the United States would provide mutually beneficial technical experience, expertise, and information to private and public enterprises and respond against large-scale cyber-attack. The reserve structure allows experts to continue working in the private sector, benefiting innovation and economic prosperity while organizing a capability to leverage in a crisis. The United States should use tax benefits, access to privileged intelligence, and support of nationwide cyber defense expertise to incentivize the participation of private companies. The “New Social Contract” released by the Office of the National Cyber Director calls for improving the public-private partnership in cyberspace, precisely the purpose of cyber reserves.[10] These cyber reservists should be screened for security clearances to allow access to sensitive threat information. Today, civilian activists play a crucial role in cyber defense, attribution, and offensive cyber in the conflict in Ukraine,[11] the Cyber Defense Unit of Estonia,[12] and North Atlantic Fellows Organization (NAFO)[13] employ civilian volunteers to conduct a range of cyber operations, including identification and countering Russian disinformation and email phishing to identify Russian soldiers accused of war crimes.[14] Incorporating motivated civilians like these and offering additional resources would enhance cyber resilience. A network of experts across the private sector would share threat telemetry faster and remedy vulnerabilities at the speed of relevance.
A more resilient Internet provides little value to the United States if its allies and partners splinter their networks. Privacy concerns associated with significant technology companies scraping data without transparency perpetuate distrust of U.S. companies across the globe and, most significantly, in Europe. Growing calls for the nationalization of data and tighter privacy controls would hamper the development of new advanced technologies like artificial intelligence and cede the advantage to China, whose ruling communist party has no regard for the privacy of its citizens, much less the privacy of foreigners. The United States should value and respect privacy concerns and criticisms from allies and explore shared regulatory action to build commercial trust and accountability. As described in the 2022 National Security Strategy, “We are working closely with allies and partners, such as the Quad, to define standards for critical infrastructure to rapidly improve our cyber resilience, and building collective capabilities to rapidly respond to attacks.”[15] Keeping an open Internet is vital to success in strategic competition and relies on a collaborative approach that integrates concerns of U.S. allies and partners.
Capability to Respond
Concurrently with the adjustments making cyber infrastructure more resilient, the rules-based international order ought to bolster its ability to respond. In meetings with Ministry of Defense delegations in Latvia, Estonia, and Finland and officials across multiple U.S. departments, developing capabilities to respond to cyber-attacks is a lower priority than building resilience and often not worth pursuing. However, adversaries will remain incentivized to continue their onslaught without the ability to inflict punitive action, like USCYBERCOM’s defend forward.[16] Some of this reluctance stems from overreliance on USCYBERCOM’s exceptional capabilities and failure to appreciate the manpower and resource constraints. USCYBERCOM cannot serve as the lone guarantor of the world’s cyberspace. From the 2023 National Cybersecurity Strategy:
The governments of China, Russia, Iran, North Korea, and other autocratic states with revisionist intent are aggressively using advanced cyber capabilities to pursue objectives that run counter to our interests and broadly accepted international norms. Their reckless disregard for the rule of law and human rights in cyberspace is threatening U.S. national security and economic prosperity.[17]
To build better capability, the United States should leverage offensive cyber capabilities within the Cyber Reserve force discussed earlier and expand tuition and training assistance for cyber-related fields. Cybersecurity experts require years of training and education, contributing to a considerable shortage of trained workforce in both the private and public sectors.[18] Cyber reserves, through an initial training program, could alleviate some of this knowledge deficit and provide an avenue for professional development and subsidize higher certifications. In strategic competition, the cyber forces of the United States are already near capacity to respond to attacks and would likely come under significantly greater assault during a direct conflict with Russia or China.[19]
Cyber reserve personnel should be trained and empowered for limited hack-back techniques. A hack back consists of a counter-attack to negate the gains of the cyber attacker. For example, if a bank witnessed illegal activity diverting funds, a cyber reserve employee could use authorities under the cyber reserves to enter criminal networks and recover the funds. By incentivizing participation in the cyber reserves, an organized network of experts becomes enmeshed across the cyber-attack surface, improving the overall ability of the United States to detect, attribute, and respond to cyber-attacks. Additionally, trends forming in disparate aspects of society, like elementary education and the electric power grid, could coalesce to recognize a broad attack and trigger a federal response. Only through closer coordination and integration between public and private organizations can the defenders out-innovate attackers and raise the expertise threshold necessary to conduct cyber-attack. As responses’ regularity and effectiveness grow, adversaries’ risk calculus shifts. No longer able to attack with impunity, they must now consider the repercussions of each attack. With defenders across the spectrum using the best practices and intelligence, shooting the rain appears within reach.
Another critical aspect of the cyber reserves is the capacity for improved cyber defense during armed conflict between great powers. A recent congressional policy scenario revealed weaknesses and tough choices in protecting U.S. national interests under a hypothetical conflict with China.[20] The team chose to defend critical military networks over day-to-day infrastructure and massive disinformation campaigns, leaving millions of Americans without essential services and under the influence of a Chinese Communist Party information campaign. A 300,000-strong reserve force, comparable to the National Guard, would provide a tremendous boost available to surge capability during a conflict. The breadth of expertise envisioned in the cyber reserves would defend critical infrastructure while supporting an invaluable advantage in every U.S. conflict, allies and partners. Cyber reserve coordination and participation in NATO teams like the Cyber Rapid Reaction team and state teams like France’s Cyber Citizen Reserve strengthens the bonds with NATO allies and partners.[21]
Willingness to Act
The final and most challenging aspect of achieving cyber deterrence is demonstrating the willingness to act. With the ultimate aim of influencing adversary decision-making, the campaign to demonstrate willingness involves domestic and international information operations, execution of a cyber response playbook, and lastly, patience. Deterrence through capability and willingness imposes punishment greater than potential benefits. As detailed in the 2022 National Defense Strategy (NDS), U.S. adversaries already possess significant capabilities:
The PRC employs state-controlled forces, cyber and space operations, and economic coercion against the United States and its Allies and partners. Russia employs disinformation, cyber, and space operations against the United States and our Allies and partners, and irregular proxy forces in multiple countries.[22]
Russian and Chinese capacity create a tough but surmountable challenge to overcome.
