TY - JOUR
AU - Healey,, Jason
AB - Abstract The USA is in the midst of its most resounding policy shift on cyber conflict with profound implications for national security and the future of the Internet. The US Department of Defense (DoD) cyber strategy concludes that since US cyber forces are in “persistent engagement” with adversaries, then it is an imperative for them to “defend forward” to “continuously contest” them. The implicit prediction is that adversaries will become less effective, forced to expend more resources on defense and rebuild capabilities and infrastructure. John Bolton, the national security advisor, has boasted of a new policy to use offensive cyber operations to impose costs on adversaries and create the frameworks of deterrence. Over time, proponents suggest, these policies will be stabilizing as adversaries engage over repeated engagements in “tacit bargaining” of what is and is not acceptable leading to “more stable expectations of acceptable and unacceptable behavior”. This article advances existing research by including a deeper discussion the academic and policy background on active defense and cyber deterrence, discussing the implied causal chain of “persistent- engagement stability theory,” and analyzing potential risks, especially specific feedback loops which may amplify or dampen cyber conflict. It concludes with specific policy solutions to help mitigate these risks and a suggestion for a broader theory, “stability-enhancing engagement theory.” Introduction The USA is in the midst of its most resounding policy shift on cyber conflict with profound implications for national security and the future of the Internet. A vision statement by US Cyber Command and the cyber strategy from the US Department of Defense (DoD) conclude that since US cyber forces are in “persistent engagement” with adversaries, then it is an imperative for the military to “defend forward” to continuously contest adversaries to “limit the terrain over which the enemy can gain influence or control” [1]. The commander of US Cyber Command argues, “we must take this fight to the enemy, just as we do in other aspects of conflict,” operating “against our enemies on their virtual territory” because the military “cannot be successful if limited to DoD networks” [2]. This new strategy has quite subtle elements, requiring “persistent presence” “in foreign cyberspace to counter threats as they emerge” to seamlessly “intercept and halt cyber threats” and “provide indications and warning” to improve defenses [3–5]. The prediction—in what we might call “persistent-engagement stability theory”—is that adversaries will become less effective, forced to expend more resources on defense and rebuilding disrupted capabilities [4]. Another beneficial outcome of this constant contact that it enables “tacit bargaining,” where each side develops “more stable expectations of acceptable and unacceptable behavior,” through repeated engagements [6]. John Bolton, the national security advisor has described the new direction much less subtly: “we will respond offensively as well as defensively” and use offensive cyber operations to impose costs on adversaries and create “structures of deterrence” [7]. “Gone are the days,” agrees Vice President Michael Pence, “when America allows our adversaries to cyberattack us with impunity … American security will be as dominant in the digital world as we are in the physical world” [8]. Both the subtle soldiers and the swaggering statesmen agree, however, that over time adversaries will scale back the aggression and intensity of their operations in the face of US strength, robustly and persistently applied. This article addresses two issues. First, this article discusses the origin story of the new policy direction. Strategies do not come out of thin air but there has been little discussion of the long academic and policy background of persistent engagement. This strategy has roots, going back to the 1990s, in the twin strands of seeking a more “active defense” (especially through counter-offensive cyber operations) and cyber deterrence (especially by imposing costs, rather than improving resilience). Second, this article analyzes persistent-engagement stability theory, starting with the implied causal mechanism to examine what new actions does the strategy envisions, with what effect in the network and on adversaries, and with what overall national-security outcome. With this foundation, the article analyzes key elements and the risks. Most importantly, this article then explores the gap between the nuanced strategy and scorching rhetoric and introduces a set of negative and positive feedback loops which may dampen or amplify or cyber conflict. The article concludes with recommendations to better understand the dynamics and minimize the risks and briefly introduces an alternative theory, “stability-enhancing engagement,” which begin the analysis with the desired end-state of strategic stability and would work backwards through a more complete set of ways and means than those included in persistent-engagement stability theory. It is far from assured the new policies will be as stabilizing their proponents suggest. Persistent engagement depends on strategic subtlety, the trust of US partners, and consistent signaling to adversaries. These qualities may not be found in sufficient abundance, in Washington DC in 2019 for the strategy to succeed, despite the professionalism of the US military or the power of their cyber capabilities. Strategic stability and superiority, moreover, are presented as the almost foreordained product of cumulative tactical successes to disrupt attacks and impose costs. But in a system as complex as the Internet, “we can never merely do one thing” and even small inputs can lead to wildly disproportionate outputs in unexpected parts of the system [9, page 10]. Even if the policies do work as expected, they may fail more broadly: the actions needed to implement them may be incompatible with the larger US goal of an open and free Internet. Clashes between armies, navies, or air forces do not threaten the earth, the oceans, or the atmosphere in any meaningful or lasting manner. But cyberspace is directly affected by conflicts, especially attacks which target key infrastructures and degrade trust. It may only have a certain carrying capacity for attacks before hitting a tipping point where it is far more insecure than today. Forward defense may work as envisaged, but only with the alignment of an improbable number of factors. There seem to be far more ways for the new strategy to exacerbate cyber conflict than to dampen it, especially as it aims to achieve both stability and US superiority. Cyber may be another of the class of problems which does not have a military solution, where the use of force only makes matters worse. The process of understanding and dealing with these risks will not be completed in weeks or months, but, as with nuclear weapons, over decades. After all, this fight will not be just “persistent,” but permanent. Getting to the idea of persistent engagement The DoD, especially US Cyber Command, root their strategy in a more “active defense,” while the comments of Bolton are framed as “cyber deterrence.” These concepts – sometimes complementary but often competing – draw on decades’ worth of policy and doctrine documents and scholarship which this section will analyze in turn. It is not in the nature of professional militaries to passively wait for a blow which is certain to fall. The DoD has accordingly long explored active defense to seize the initiative in cyberspace with direct actions outside of its own networks to track, intercept, or disrupt attacks closer to their source, before they affect the DoD or the nation. The new strategy of forward defense builds on these earlier notions, only with the competition fought in foreign, not American, systems and networks. Whether focused on actions in one’s own networks or those of others, the underlying logic of active defense rests on the same principle: successful cyber defense needs action, not just reaction [10]. Jacquelyn Schneider described much of this history back to 2011, in a recent Lawfare article, but the story actually begins much earlier [11]. The history of active defense goes back at least to 1996, when a Defense Science Board (DSB) summer study called on the DoD General Counsel to promulgate “rules of engagement for self-protection (including active response)” and “propose legislation, regulation, or executive orders as may be needed to make clear the DoD role in defending non-DoD systems” [12]. Less than two years later, a draft version of the charter of the very first cyber command proposed allowing it to engage in active defense outside of DoD networks [13].1 That section was removed because the term was undefined, falling in between the accepted terms of computer network attack (CNA, or broadly speaking, offense) and computer network defense (CND). Active defense often is mistakenly equated to “hack back” but can include a wider set of actions such as indictments and sanctions, “being able to hunt within the military’s own networks” to find adversaries, or using intelligence collection and analysis to anticipate and disrupt their operations [14]. The DoD’s first formal definition of “active cyber defense” focused on actions within its own networks: “synchronized, real-time capability to discover, detect, analyze, and mitigate threats and vulnerabilities … at network speed by using sensors, software, and intelligence to detect and stop malicious activity before it can affect DoD networks and systems” [15]. By the late 2000s, the DoD had developed a new term, CND Response Actions (CND-RA), for “a specific subset of self-defense … to a specific hostile action” [16]. DoD doctrine now calls the concept Defensive Cyber Operations-Response Actions (DCO-RA). This term applies “where actions are taken external to the defended network or portion of cyberspace without the permission of the owner of the affected system … normally in foreign cyberspace. Some DCO-RA missions may include actions that rise to the level of use of force, with physical damage or destruction of enemy systems” [17]. Not all DCO-RA missions are intended to apply force to directly disrupt adversary operations, as commanders often want the cyber equivalent of one-on-one coverage, pivoting with adversaries through foreign cyberspace. DCO-RA are also distinct from Offensive Cyber Operations (OCO), “missions intended to project power in and through foreign cyberspace [to] target adversary cyberspace functions or create first-order effects in cyberspace to initiate carefully controlled cascading effects” [17]. Military officers rarely describe their new vision in terms of more offense, unless they specifically mean very high-end armed attacks for purposes of deterrence or counter-terrorism operations such as against ISIS, especially in recognized war zones like Syria and Iraq. Policymakers such as Bolton and Pence tend to mix these categories and call of them all offense, though it is not clear if this is simple confusion, “truthful hyperbole,” or intentional signaling of strength to domestic audiences or foreign leaders. This dangerous rhetorical gap will be explored in more depth later. This DoD pursuit of a more active defense but has been thwarted both by executive and legislative impediments. The White House first exerted meaningful political control over offensive cyber operations in July 2002, through a process and guidance specified in National Security Presidential Directive 16. This document remains classified but tasked the government with developing “guidance for determining when and how the United States would launch cyber-attacks against enemy computer networks” [18]. Two years later, that guidance was issued as NSPD-38, mandating operational coordination (for example, to enforce coordination so different intelligence agencies are not all operating in the same adversary system and to coordinate with the military if those systems needed to be attacked) as well as interagency policy coordination2. The original authority for CND-RA was “described, constrained, and granted through standing rules of engagement” from the president, through the secretary of defense [16]. After the new concept of DCO-RA, the military was looking for a more active role, with a 2012 article reporting that the “Pentagon has proposed that military cyber-specialists be given permission to take action outside its computer networks to defend critical U.S. computer systems” [19]. From 2012 until 2018, offensive cyber operations (specifically including DCO-RA) were regulated by the still-classified (but leaked) Presidential Decision Directive 20 (PPD-20). An unclassified summary says PPD-20 includes “principles and processes for the use of cyber operations,” with a “whole-of-government approach” to coordination, allowing flexibility “while exercising restraint” [20]. The principle is to “undertake the least action necessary to mitigate threats and that we will prioritize network defense and law enforcement as preferred courses of action.” It is likely that the policy covers only warfighting activities and not cyber espionage (which falls under PPD-28) or covert action, even when conducted by military units [21]. PPD-20 appeared to allow the military only limited flexibility to conduct military operations outside their own networks, even in self-defense. Approval for significant DCO-RA and offensive cyber operations under PPD-20 remained with the president and is not further delegated to the civilian secretary of defense or the four-star general or admiral leading a Combatant Command. Rather, approvals had to be secured through interagency discussion between “Cyber Command, and the Department of Defense, and then the National Security Council,” as well as other relevant departments like State and, for attacks affecting financial networks, Treasury [22]. This interagency process was in place to ensure civilian control over the military; limit potential escalation; allow other agencies that might be affected by cyber operations to have a say; and to confirm the military had a reasonable degree of certainty their operation would succeed, not be too destabilizing or embarrassing, and not cause undue collateral damage. The technical, diplomatic, and legal ramifications of conducting operations in the territory of adversaries and allies are complex, and “one can readily imagine … why military commanders might wish to be freed from the resulting friction” [23]. Even those who helped create the rules felt they was creating too much of a bureaucratic roadblock, episodic, and slow, without delivering on these goals.3 Cyber operations in an existing warzone had a smoother process. General Paul Nakasone, current commander of US Cyber Command, testified that the approval process led to a “tremendous amount of success with ongoing operations [in] our fight against” the Islamic terror group ISIS [22]. The commander of Navy cyber forces agreed that the process “has not kept us from delivering effects when we’ve been required to deliver them” [24]. This smoother process however seems to have been geographically limited, as the previous cyber commander, Admiral Michael Rogers, expressed frustration over restrictions on acting against ISIS “outside the designated areas of hostility” in Iraq, Syria, and Afghanistan [25], perhaps one reason why Ash Carter, secretary of defense for much of the fight, lamented US Cyber Command “never really produced any effective cyber weapons or techniques” [26] Accordingly, when US Cyber Command began its push for forward defense this meant, in public policy terms, requesting changes to PPD-20 to pre-delegate authority: a “streamlined channel for military leaders to get their offensive cyber operations greenlit” [27]. Only a few months after the US Cyber Command vision, in September 2018, the White House implemented changes and “repealed what is known as PPD-20” in a new document, NSPM-13 [7, 28]. John Bolton, the National Security Advisor was clear that, “Our hands are not tied as they were in the Obama administration” and the previous “restraints” were now “effectively reversed” [7]. There have also been significant legislative hurdles, with DoD lacking “authorities” to limit active defense and offense. Now, “Congress has passed legislation that not only clears away domestic law obstacles … but also, to some extent, affirmatively encourages such operations” [29]. Changes to the National Defense Authorization Act (NDAA) of 2019, especially section 1302, clarify that even clandestine military operations “to defend the United States” for “preparation of the environment, information operations, force protection, and deterrence of hostilities, or counterterrorism operations” were not covert actions requiring special Congressional notification but “traditional military activities” [30]. This clarification authorizes quite active measures. “Preparation of the environment” means reconnaissance and surveillance operations into foreign and adversary systems, and implant malicious software, in case the president orders the military ever attack those networks and systems. Operations for “deterrence of hostilities” can mean implanting destructive malware as a threat to hold adversaries’ critical infrastructure at risk, not necessarily to win a battle as much as hopefully forestalling a war. These legislative changes, according to one senior military leader, “freed us up to do some of the things, the operational preparation of the environment, that we were limited from doing outside of the counterterrorism mission and now can do much more broadly against all of our peers and competitors” [31]. With these new executive and legislative authorities, military officials now report “a lot more agility to go on target but a lot more persistent ability as well so we can, as the adversary tries to maneuver, we can actually stay with the adversary,” agility that is seen as central to active cyber defense outside of DoD networks [32]. Both US Cyber Command and DoD treat the new strategy of forward defense as complementary but distinct from cyber deterrence, those actions “affecting the calculations of an adversary … to convince adversaries not to conduct cyber attacks or costly cyber intrusions” [33]. In terms of systems theory, deterrence implies that having a fearsome cyber capability, and the will to use it, results in “negative feedback,” that is, deterrence will stabilize a potential crisis by nudging the system back towards the status quo and away from the more extreme outcomes. Policymakers have not been as careful as the military in distinguishing between forward defense and deterrence. Most notably, National Security Advisor John Bolton specifically tied the “revocation” of PPD-20 to cyber deterrence: We have authorized offensive cyber operations […] not because we want more offensive operations in cyberspace, but precisely to create the structures of deterrence that will demonstrate to adversaries that the cost of their engaging in operations against us is higher than they want to bear [7]. The academic and policy history of cyber deterrence is as lengthy as that of active defense. Indeed, the same 1996 DSB study that called for a more active response also argued that “In the information age as in the nuclear age, deter is the first line of defense,” and called for an appropriate declaratory policy [12]. The first official US position on cyber deterrence was the White House’s 2003 National Strategy to Secure Cyberspace which contained a simple (and overlooked) declaratory statement that when the nation was attacked “through cyberspace, the U.S. response need not be limited to criminal prosecution. The United States reserves the right to respond in an appropriate manner” [34]. Since then, the USA has addressed deterrence in nearly every statement of cyber policy. In 2006, the Chairman of the Joint Chiefs went farther, wanting to scare others from not just using capabilities but even bothering to develop them in the first place. The desired military “end state” was where “[a]dversaries are deterred from establishing or employing offensive capabilities against US interests in cyberspace” [35]. Calls for deterrence were also in the Comprehensive National Cyber Initiative (2008) [36], the Defense Strategy for Operating in Cyberspace (2011) [15], and Executive Order 13800 (2017) [37], The National Cyber Strategy of 2018 makes clear the view that imposing costs will limit escalation: “The United States must also have policy choices to impose costs if it hopes to deter malicious cyber actors and prevent further escalation,” so accordingly will “develop swift and transparent consequences, which we will impose … to deter future bad behavior” [38]. But the growing stack of policy statements calling for cyber deterrence is matched by skeptical research. In the canonical book on the topic, Cyberdeterrence and Cyberwar, Marin Libicki noted nearly a decade ago that “attribution, predictable response, the ability to continue attack, and the lack of a counterforce option are all significant barriers” [39]. As other experts have elaborated, further “complications for analysts arises in understanding the decision-making process within the aggressor state” sufficiently to develop deterrence options” [40]. Scholars generally concur on these obstacles to deterrence and may also posit additional factors such as the ubiquity and complexity of the Internet [41], dearth of assured response [42], nature and motivation of opponents [43], and “lack of shared understandings about what would constitute escalation” [44]. Further, “it is difficult to convince foreign leaders (and foreign hackers) that the costs of hacking really do outweigh the benefits” and “virtually impossible to know if deterrence is working” [45]. Recent scholarship and policy has advanced past these concerns in several ways. First, Joseph Nye has expanded out the understanding of deterrence as it relates to cyber conflict to include “punishment, denial, entanglement, and norms,” a richer set of considerations [46, 47]. Also, it increasingly clear that deterrence “has been operative for some time” as major cyber powers have avoided attacks above the threshold of death and destruction, seeking “strategic advantage through competition without triggering armed conflict” [2, 48]. The analysis is no longer theoretical, as it is now supported by a documented instance of cyber deterrence, but with the USA on the receiving end, as part of one of the most consequential cyberattacks ever—the interference in the US presidential election of 2016. The administration of President Barack Obama took response actions off the table, according to multiple accounts from the principals involved in the Situation Room decisions, out of concern that Russia would escalate “against America’s critical infrastructure—and possibly shut down the electrical grid” or engage in “hacking into Election Day vote tabulations” [49]. Second, current research at Columbia University has revealed important insights on the underlying dynamics of cyber conflict. Some characteristics that might make deterrence difficult are not permanent aspects of the domain but change over time. The most important change relevant to this discussion is the rapid improvements in quality and speed of attribution, at least in the USA. The White House was able to publicly call out North Korea (for the attack on Sony Motion Pictures and WannaCry malicious software attack) [50] and Russia (for the NotPetya malicious software) [51]. It can still take weeks to have a reasonably clear picture, but it is no longer true that “Whereas a missile comes with a return address, a computer virus generally does not” [14]. In addition, it may no longer be true that there is a lack of counterforce options. Much of the new strategy of persistent engagement is predicated on takedowns of adversary command-and-control and attack infrastructure, operations similar to public-private botnet takedowns, such as that against GameOver Zeus [52]. Third, an increasing body of scholarship is addressing the dynamics of cyber conflict below the threshold of death and destruction. For some years, scholars and practitioners had recognized that cyber conflict was a regular back-and-forth between adversaries, with only particularly important incidents making it into public awareness. A 2016 article by Richard Harknett and Emily Goldman went beyond these inklings to build a new paradigm of cyberspace as an “offense-persistent strategic environment” in which “the contest between offense and defense is continual [and] the defense is in constant contact with the enemy” [53]. Harknett and Michael Fischerkeller later expanded on this idea, arguing that “deterrence is not a credible strategy” as it is generally “based upon a threat of use of force with an operational objective of avoiding costly operational contact.” This does not describe cyber competition, they argue, where adversary cyber forces are actively contending with one another all the time, below the level of armed attack. Moving from description to prescription, they argue “if the United States is to shape the development of international cyberspace norms, it can do so only through active cyber operations that begin to shape the parameters of acceptable behavior” [54]. Michael Sulmeyer complemented the argument that the USA should spend less time trying to deter adversaries “and more time preempting them and degrading their ability to [hack]. It is time to target capabilities, not calculations,” with tactics including “a campaign of erasing computers at scale” and other actions to make “every aspect of [an adversary’s] hacking much harder” [45]. Deterrence options might be useful to prevent high-end armed attacks through cyberspace, but below that threshold, these authors argue, concepts rooted in active defense will be more successful. Operating in a world of persistent engagement The US Cyber Command vision, “Achieve and Maintain Cyberspace Superiority,” is a critical document, perhaps the single most important articulation of cyber policy in two decades. It stems directly from this Goldman–Fischerkeller–Harknett lineage (and subsequently drove the DoD Cyber Strategy and parts of the White House National Cyber Strategy). This is perhaps unsurprising as all three are international relations scholars who have worked at US Cyber Command. Around the official launch of the Vision, Harknett published a companion article establishing the scholarly foundation of the official Vision, which is also important for the following analysis as is a recent interview with, and article by, General Nakasone [1, 2, 55]. Together this work is coalescing in what might be called persistent-engagement stability theory that promises to simultaneously limit escalation and lock in US superiority. This section describes the new theory with analysis in the section following it. The Vision notes adversaries use “continuous operations and activities against our allies and us in campaigns short of open warfare.” This emphasis on “continuous operations” is vital: cyber warriors are not just loitering in their barracks, and their capabilities are not sitting in the arsenals awaiting some future war. They are constantly engaged in offensive, defensive, and espionage operations, “more like soccer than [American] football,” as expressed by Trey Herr.4 Harknett’s companion piece elaborates further that “adversary behavior intentionally set below the threshold of armed aggression has strategic effect.” Historically, this kind of strategic effect “required territorial aggression (or the threat thereof),” but now cyber operations “can impact relative power without traditional armed aggression.” He believes that the “status quo is deteriorating into norms that by default are being set by adversaries.” To achieve cyber superiority, US Cyber Command argues it is vital to “defend forward as close as possible to the origin of adversary activity, and persistently contest malicious cyberspace actors.” This requires “scaling to the magnitude of the threat, removing constraints on our speed and agility, and maneuvering to counter adversaries” [3]. According to the deputy commander of US Cyber Command, “defending forward is nothing more than being active in your defense, just like [the DoD] have always done: fight forward, disrupt forward, deny forward. Make [the adversary’s] servers less effective and have minimal number of clean-up issues in blue space,” that is in DoD and US networks [56, at 26: 30 min]. Yet, US Cyber Command has provided little insight on the kinds of actions they envisage or the causal mechanisms of how those lead to stability, and there is disagreement even within the DoD about these terms, leaving even close watchers of cyber conflict struggling to understand the concept. A close reading of the key documents, interviews, speeches, and supporting scholarship suggests the implied hypothesis starts with the grievance (step 1) then combines active defense (steps 2 through 8) with deterrence (step 9) to result in stability and US superiority (the outputs, step 10). Together, these causal steps describe a coherent persistent-engagement stability theory. Adversaries are conducting free-for-all attacks to destabilize the United States (and its allies) and “degrade sources of national power” [2]; US cyber forces must defend forward against these threats, maneuvering to positions of advantage in foreign cyberspace to maintain persistent presence so “as the adversary tries to maneuver, we can actually stay with the adversary” [32]5; To achieve this advantage, the US cyber forces must operate with reduced operational constraints, “to act as we see emerging threats and opportunities in this space” [32]6; With persistent presence, the USA can “intercept and halt cyber threats,” [3] enter “an adversary’s network to learn what they are doing as a means of improving defenses,” [32] and “degrade the infrastructure and other resources that enable our adversaries to fight in cyberspace” [2]; Persistent presence will allow the USA to observe adversary behavior and warn targets of the details of coming (or ongoing) attacks, improving US defense. Partnership with other parts of the US government and the private sector are key [5]; Together, these actions impose friction, over days and weeks, to directly disrupt specific adversary operations; Friction will also, over weeks and months, impose “cumulative costs,” forcing adversaries to spend more resources responding to US actions thus reducing their ability to attack [2]; Through repeated interactions, over months and years, there will also be a stabilizing process of tacit bargaining as adversaries mutually discover each other’s guardrails, to bound conflict so it does not escalate [6] (This is the desired goal of persistent engagement, steps 2–7.) US cyber forces will simultaneously use more purely offensive cyber capabilities for deterrence purposes, to threaten targets that adversaries value to clarify the strategic costs of attacking the United States and reducing their willingness to attack; Adversaries will, over months and years, moderate their behavior in response to U.S. actions, creating a more stable environment and continued US superiority. (This is the desired goal of persistent engagement plus deterrence, steps 2 through 9.) What does all this mean in practice? A quick analysis starts with the active defense pieces, steps 2 through 8, going beyond “episodic” DCO-RA operations and instead persistently “seizing the initiative, retaining momentum, and disrupting our adversaries’ freedom of action” [3, page 4]. If, for example, as Russian intelligence services take over computers in other countries from which to conduct espionage or disruptive campaigns against the USA and our allies, US Cyber Command will have the authority to apply some “tactical friction and strategic costs…compelling them to shift resources to defense and reduce attacks” [3]. US cyber forces would establish their own presence, follow the Russians as they pivoted through foreign systems, kick out them out of compromised systems, and even take control of the Russian malware. Such interdiction would be “traditional military activities,” requiring less oversight, approval, and coordination with interagency partners. It is not seen by the DoD as “offensive” but “defensive,” akin to “kicking the knife out of the hand” of an attacker7 or laying down suppressing fire to force them to keep their heads down. US Cyber Command does see actions like information sharing and resilience as part of persistent engagement, but these do not feature heavily. To make this new cocktail, “Take the Fight to the Enemy,” the recipe is 5 parts “intercept and halt” to one part “build partnerships and resilience.” It is a euphemism when cyber officers say they want to “maneuver seamlessly across the interconnected battlespace, globally”—the “seams” are national borders and the perimeters of networks of owned by corporations and private individuals [2]. As an example, if the Russians hopped from a system in Belarus to a corporate network in the Netherlands, US Cyber Command need not check with the State Department (much less the Dutch themselves) before following them in. Any violation of Dutch sovereignty or security would be the Russian’s doing, not those of the pursing US forces. As the US Cyber Command deputy commander has put it, “I want to find him wherever he is, and I want to disrupt him whether that’s in grey space … or back at [their] home” [56, at 26: 10 min]. The general suggests the potential need to redefine sovereignty in a digital age so this kind of US operation can happen at network speed within that grey space: “If this domain is global, tell me where the boundaries” of my adversaries are [56, at 16: 30 min]. A second feature, implied in phrases like imposing “strategic costs,” is for US Cyber Command to hold at risk an adversary’s critical infrastructures for deterrence purposes. This is not part of “defending forward” but the complementary deployment of offensive cyber capabilities so that if adversaries want to hold US infrastructure at risk, then the president has similar, symmetric options. If the Russians were able to change the decision calculus of the Obama administration by holding the US electrical grid at risk, then the USA might want the option of doing the same to the Russian grid (or whatever other targets they may similarly value). Harknett and Fischerkeller argue that the DoD needs separate but complementary strategies for deterrence and persistent engagement, to cover two different “strategic environments” [57]. Persistent engagement is relevant in the constant contact of “cyber strategic competitive space short of armed conflict … to advance national interests while avoiding war.” Deterrence, in contrast, is for the “strategic space of armed conflict” and must be “aligned with managing the potential for armed conflict or armed attack-equivalence” [57]. This point, that deterrence is relevant mostly or only for managing armed conflict and not the kind of competition seen today in the networks, has been a controversial point and will be explored in the next section. Most problematic, even supportive policymakers like Bolton conflate persistent engagement with deterrence. The result of these actions is step 10: the desired outputs of stability and US superiority. One driver of the new strategy was a view that “a failure to respond to cyber attacks is an invitation to follow-on cyber attacks of (at least) a similar nature and scope, which may be even more escalatory over the long term than responding in a compelling manner” [33]. Persistent engagement, according to Harknett, “can, over time, lead to a normalization of cyberspace that is less free-for-all and potentially more stable” [55]. Constantly engaging is therefore part of an “agreed competition” [57] between adversaries which should “clarify the distinction between acceptable and unacceptable behavior in cyberspace” [3, page 6]. This process is meant to illuminate and reinforce the guardrails containing cyber conflict and establishing an equilibrium at lower levels of competition. There might still be constant contact but without the “bigger swings” of particularly dangerous incidents [58]. Tacit bargaining elevates and transforms the original tactical goal of active defense, intercepting attacks before they reach US networks, into both strategic stability and US superiority. The US goals begin with stability, to stop “behavior in cyberspace that is destabilizing and contrary to national interests” and conclude with an insistence on “preserving United States overmatch in and through cyberspace” [38]. “Persistence through superiority,” the US Cyber Command vision insists, will also “influence adversary behavior, deliver strategic and operational advantages for the Joint Force, and defend and advance our national interests” [3, page 5]. A coherent strategy, but risks abound The new strategy is a compelling assessment of cyber conflict as a state of constant contact and presents a strong case that reduced operational constraints enabling tactical friction to regain the initiative will nudge conflict back towards lower levels of aggression [9]. It is worth noting that forward defense is only one among several policies that can be termed active defense or indeed cyber deterrence: the administration of Donald Trump has continued and expanded a wide set of policy tools used by previous administrations, including sanctions and indictments [59]. It has also introduced new responses, most importantly coordinated international attribution of Russian [60] and North Korean [61] operations seen as particularly insulting to global norms and getting search warrants for computers outside of US territory in order to disrupt a North Korean botnet [62]. Still, it is no wonder that the US military has embraced an academic concept justifying its decade-long desire for reduced operational constraints and a more active posture to “take the fight to the enemy.” There remain major concerns. An overarching worry is that US Cyber Command does not appear to see this approach as fundamentally risky. The Vision asserts that the Command wants to be “not risk averse but risk aware” but it only highlights one procedural risk (an insufficient body of highly trained personnel) and one diplomatic risk (adversaries will falsely “seek to portray our strategy as ‘militarizing’ the cyberspace domain”). But those are the only risks the Command can imagine, or at least, is willing to publicly acknowledge. Indeed, because defending forward is framed as essential—“if the United States is to shape the development of international cyberspace norms, it can do so only through active cyber operations” [54], and “not a choice, but a structurally and strategically driven imperative” [57]—then the main risk is failing to adapt quickly and forcefully enough. To get to the promised land of milk and honey, superiority and stability, there is only one path: forward defense. It is technically determined that there is a single dominant strategy, one that is the best regardless of the strategies chosen by US adversaries. As in the Cold War, the military is again attempting to “pose starker alternatives and to couch them in terms of necessity rather than choice:” either remove constraints on the military or lose [63]. Imperatives are slippery things. Some are not imperatives at all, just a particularly unyielding perspective or preference presented as a dichotomy. How many US airmen died in World War Two because of the bomber-driven cult of the offensive? Other imperatives may be critical to tactical success but imperil the larger strategy, perhaps winning the battle but losing the war. The battlefield imperative to use overwhelming firepower can, for example, be fatal to a counterinsurgency strategy if it causes extensive collateral damage. Even seeming strategic imperatives can lead to catastrophic national security outcomes, as with Wilhelmine Germany’s pursuit of a grand fleet-in-being to challenge the British [64]. The dynamics here may be similar. A more thorough assessment of the risks must be rooted with the simplest one, the strategy might fail and intensify competition. Many assumptions, apparently unrecognized, underlie the belief that the USA can have both superiority and overmatch as well as stability. Yet, in a system as complex as the Internet, “we can never merely do one thing” [9, page 10].8 As Herb Lin and Max Smeets of Stanford University highlight, “neither ‘escalate’ or ‘escalation’ appear in the [Vision] document,” a significant omission which suggests US Cyber Command is downplaying, or not fully thinking through, the full dynamics of conflict [65]. A more engaged forward defense might result not in “negative” feedback—reducing conflict by bringing it back to the historical norm—but instead “positive” feedback, exacerbating the conflict and adversaries may see the new US vision as a challenge to rise to, rather than one from which to back away [9, chapter 4]. According to my colleague Robert Jervis, “a failure to anticipate positive feedback is one reason why consequences are often unintended,” [9, page 165] and sufficient positive feedback can push the system past a tipping point, at which the system resets itself into a new, and potentially far more dangerous, equilibrium. States have decided to keep their attacks below certain thresholds, but conflict and competition in cyberspace is only a few decades old. This may only be a phase, and an early one at that. As cyberspace becomes more existential for more states, the stakes continue to rise, elevating the risks along with them. Persistent-engagement stability theory, the chain of causation implied by the strategy, contains several feedback loops which interact to amplify (positive feedback) or dampen (negative feedback) conflict. These fall into three broad categories. The first focuses on the activity “on-net,” that is the dynamics stemming from adversaries being in constant contact. It includes three interrelated feedback loops related to friction, tacit bargaining, and tit-for-tat. These tend to be more direct and immediate then the second category, the “off-net” feedback loops of deterrence, perceived restraint and adherence to norms, posture, organizational dynamics, and emotion and cognitive biases. The last set includes the impact on persistent engagement on the larger environment of cyberspace and other US priorities, such as an open, free, and resilient Internet. The feedback loops in each category interact with each other in complex ways, reinforcing each other or cancelling one another out. These effects are hard to disentangle, so this article will introduce only some of the more important and obvious effects. Because the existing documents emphasize the stabilizing impact of the new strategy, for balance this section focuses more on the potential hazards. The on-Net risks The three feedback loops stemming from constant on-net activity (steps 4 through 7 of the causal chain above) deal with the stabilizing or de-stabilizing effects of friction, tacit bargaining, and tit-for-tat attacks. The new DoD strategy is built first on friction, that operations to “intercept and halt cyber threats” [3, pages 1–4] and “degrade the infrastructure and other resources that enable our adversaries to fight in cyberspace;” [2] will impose costs and directly frustrate adversary operations, imposing negative feedback. Having to defend themselves and rebuild infrastructure and capabilities, adversaries have fewer resources for offense. However, friction may provide positive feedback if capabilities and infrastructure are particularly inexpensive to rebuild or the adversary can obtain additional resources relatively easily. According to General Nakasone, “barriers to entry are low and the capabilities are rapidly available and can be easily repurposed,” so it is possible that over the medium term, adversaries can easily adapt to US friction [1]. If there is a strong positive feedback loop, then each side (including ours) will go back to its legislatures or paymasters, asking for yet more funds and looser rules, pointing to the other side’s newly aggressive forward defense as proof of its intransigence. While it’s true that adversary operations have grown aggressive, surely they can become more aggressive still. Adversaries may be able to scale faster and better than the USA, which will then have to back down or become even yet more aggressive, demanding larger budgets, lower thresholds for approval, and operations even more forward. Conflict could easily spiral into a war of attrition, fought primarily over private networks. Friction does not only operate on its own but is also tied to the feedback loops of tacit bargaining and tit-for-tat dynamics. Harknett and Fischerkeller believe the constant contact of cyber forces leads to a “strategic process of tacit bargaining,” compared to explicit bargaining such as treaties [57]. As adversaries seek to “outmaneuver each other to achieve an advantage or at least avoid a disadvantage,” the “interactive process will result in tacit understandings among and between adversaries of what behaviors are acceptable/unacceptable in cyberspace” [57]. Accordingly, the DoD “strategy of persistent engagement will serve to clarify the distinction between acceptable and unacceptable behavior in cyberspace and, consequently, contribute to stability” [57]. Tit-for-tat dynamics are the opposite of tacit bargaining, generating dangerous positive feedback if nations felt the need for equivalent retaliation (or rather, aim to “be a little more than proportionate” in the words of one former policymaker) to the stings of incoming cyber attacks [66]. If today’s cyber conflict indeed represents agreed competition then a new US push for significantly more engagement and disruption of adversaries may require patience, especially subtle operations, and clever signaling. For example, if US operations are to nudge adversaries closer to norms, then US operations should degrade only those that fall outside of those accepted norms. But if the interception of adversary attacks occurs early and as close to the adversary as possible, then how can the DoD know the actual intention of the operation and if it would violate norms? Bolton further confused the issues by announcing “the hacking of the Office of Personnel Management by China … [is] the kind of threat to privacy from hostile foreign actors that we're determined to deter” [7]. This intrusion, while significant, was only espionage and as such well within previously stated US norms. Iran’s Shamoon attack against energy infrastructure in Saudi Arabia and Qatar seems to have simply been a proportional response to a similar piece of malware which disabled its own oil wells just weeks before—even though it was painted by the US Secretary of Defense as a significant escalation (and used to justify higher budgets) [67]. It will be far harder to achieve “tacit agreement” if the USA and other adversaries have a mismatch between subtle operations and jingoistic signaling; assert too many red lines (which shift over time) [68]; and keep two sets of norms, one for their own activity (because we’re the good guys) and a far stricter one for adversaries (because they’re villains) [69]. James Clapper, the former US Director of National Intelligence, has described the “Goldilocks” problem the Obama administration experienced trying to calibrate responses to operations such as those by Russia and Iran: the US countering actions needed to be forceful enough to convince the other side to back down but no so hard that they decide to escalate.9 If cyberspace is truly one where persistent engagement is an imperative, then all adversaries must conduct Goldilocks operations, indefinitely. This does not worry Harknett, who argues “that it is not contradictory to assume that in an environment of constant action it will take counter action to moderate behavior effectively” [55]. But the strategy elevates this mere assumption into a core principle, an unchallenged fact and imperative. It is quite optimistic to assume constant contact will be self-balancing, trusting tacit bargaining to keep its invisible hand on the rheostat, stabilizing conflict over the decades. Such confidence is particularly misplaced if adversaries aim for a goal of overmatch and superiority, and not stability, as each side is pressured to one-up the others in a potentially existential fight for cyberspace. There are no demilitarized zones in cyberspace to separate opposing militaries and no strategic depth to absorb and delay assaults. How can the fighters in the cage understand the proper limits of a match that will recur daily? Someday, one side will go a bit too far, punch a bit too hard, pull a trick a bit too dirty, and ignore its opponent’s “too much” tap-out. At what point will U.S. Cyber Command need U.S. European Command and NATO to tag into the fight? [70]. Even the most experienced and professional teams of US Cyber Command will make mistakes, as will our adversaries’ teams, as all sides inevitably have done in wartime. These mistakes may be misread as intentional signaling or brazen disregard of agreed-upon norms. To deal with these risks, persistent engagement lacks both a theory of communications between adversaries and any practical means of communication other than conflict itself. The conversation to find agreement, tacit, or otherwise, will largely be between military and intelligence forces actively contending against each other, which has been described as “hand to hand combat” or being “under cyber siege” [71, 72]. Neither of these types of conflict is particularly known for establishing decency or restraint between the antagonists. There are almost zero out-of-band means to signal and de-escalate cyber tensions, complicating efforts to convince other nations a mistake is not an intentional attack. There is no direct communication between the US Department of Defense and the Chinese People’s Liberation Army, as China’s leadership is still incensed over the US indictment of five PLA cyber officers.10 The main channel of communication is between the US Department of Homeland Security and China’s Ministry of Public Security, of little use during a military crisis. Russia and the USA do have a “cyber hotline” connecting the White House with the Kremlin and a second line to link each side’s computer emergency response teams [73], there is no direct or routine military-to-military contact. The off-Net risks This ties directly to the second set of feedback looks, those dealing with off-net behavior and decisions: deterrence, perceived restraint and adherence to norms, posture and organizational dynamics, and emotion and cognitive biases. The feedback loop of deterrence has largely been described in the earlier section. Persistent engagement advances that earlier work to suggest three mechanisms by which deterrence will impose negative feedback. First, some US actions will be intended primarily for deterrence, such as those (described in a New York Times article) to place “‘implants’—software code that can be used for surveillance or attack—inside the Russian [electrical] grid” [74]. Though the DoD later called the story inaccurate, this kind of operation is not defending forward, as it is not directly degrading Russian capacity to fight (steps 2–7 of the theory) but affecting their willingness to do so (step 9). Proponents of persistent engagement expect it to affect the willingness of adversaries to attack the USA (though such deterrence is not the main selling point). Emily Goldman, one of the intellectual parents of persistent engagement as a senior executive at US Cyber Command, expressed it this way: “over time, if you push back, hopefully you’ll get a deterrence effect … At some point, [adversaries will] come to a sense that this is not worth the energy we’re putting in to try to do x, y or z” [31].11 In addition, there is a third belief, that organizational structures themselves can deter and be stabilizing. Admiral Rogers, when he was commander of US Cyber Command, for example, drew a direct Cold War parallel to assert that capability would lead to stability: We rapidly learned that we needed a nuclear force that was deployed across the three legs of the triad and underpinned by robust command and control mechanisms, far-reaching intelligence, and policy structures including a declared deterrence posture. Building [this] took time and did not cause a nuclear war or make the world less safe. On the contrary, it made deterrence predictable, helped to lower tensions, and ultimately facilitated arms control negotiations [75]. Together, these elements form a tight package which in many ways hews closely to traditional US military thinking on deterrence: peace through strength. Yet, much of this analysis is heavily influenced by logic of Cold War stability which may not be appropriate. There was then, to begin with, a much clearer distinction between intelligence collection (which could be stabilizing) and warfighting. A Soviet intelligence collection trawler could not be mistaken for a ballistic-missile carrying submarine; an air defense track of a B-52 bomber was clearly not the same as a U-2 spy plane. Moreover, Cold War surveillance and intelligence, were fundamentally stabilizing: each superpower could use National Technical Means to have near-instantaneous detection of an ICBM launch by the other side. The nuclear warfighters of the Strategic Air Command may not have liked knowing Soviet satellites were staring down at their missile fields, but it was one cost of strategic stability. In cyberspace, intelligence operations are much more escalatory than implied by the admiral’s reading of history. Espionage and surveillance cannot easily be distinguished from the operational preparation needed for an attack. Allowing a Russian or Chinese cyber presence to monitor US strategic warfighting capabilities would be considered practically treasonous. In addition, the primary value of nuclear organizations and force structure were to signal strength and capability, not to fight a nuclear war but to forestall one. Cyber capabilities and commands in contrast, are there to be used. Joe Nye believes the strategy depends on a “truncated concept of deterrence that places too much emphasis on the dimension of retaliation and denial”.12 After all, even in constant contact there are spikes of activities, episodes like Sony or WannaCry where deterrence seems to have a role to convince adversaries to act differently (as happened to the US policymakers responding to the election interference under the shadow of Russian threats to the electrical grid). Forward defense, and other elements of the new strategy, may have a stabilizing deterrent effect only if the dice roll the right way and their effects align with other off-net feedback loops. The feedback loop of perceived restraint and adherence to norms is straightforward. If states perceive other states are generally ignoring norms, they are less likely to see benefit of themselves complying leading to negative feedback. Of course, the converse is true as well, introducing stability if most nations are seen to comply with most norms most of the time, leading to dynamics similar to, but on longer times scales than, tit-for-tat. Harknett claims that the “status quo is deteriorating into norms that by default are being set by adversaries,” and there is indeed overwhelming evidence that adversaries are showing little restraint (below the threshold of death and destruction). General Nakasone highlights some of the most egregious: “global surveillance of opposing views, … stealing unprecedented quantities of intellectual property and personal data, disrupting democratic processes, holding critical infrastructure at risk, and eroding U.S. power,” as well as attacks with global effects like WannaCry and NotPetya and incidents where states disrupted companies, such as Sony Motion Pictures [1]. But this is only half the story, ignoring where the USA may be perceived as pushing the boundaries. The USA did not naively learn about cyber conflict through “passive discovery,” as Fischerkeller and Harknett propose, but by actively intruding into adversary (and allied) nations for the past two decades—and occasionally conducting significant sabotage [76]. The USA may have shown restraint in disruptive military action (Title 10 under US law) but not in espionage or covert action (Title 50). The new strategies mostly ignore the escalatory effects of these actions which are the responsibility of spies, not soldiers. These actions are legally distinct from military operations, though those conducting them are often commanded by the same leaders, operate from the same buildings, and often use the same capabilities and accesses. General Nakasone recommends continuing this “dual-hat” relationship at least through 2020 [77]. If adversaries (and allies) cannot (or do not) distinguish between military operations and espionage/covert action, then US military restraint will get a bit lost in the noise. This is not to suggest a moral equivalence to USA and adversary operations, but perhaps there is an escalatory equivalence. All major states are greedy in cyberspace looking to disrupt some part of the status quo and seeking to seize as much “territory” (hop points and command and control architecture) and “high ground” (such as core Internet routers) for themselves. Tacit agreement may ultimately be impossible because of category issues. The USA largely only wants to deal with issues of cyberattack, espionage, and defense while adversaries may care at least as much about the flow of hostile information across borders. Journalism, social media, free speech, and unlimited communication with foreigners are more immediate and existential threats to their regimes. The apparent US blind spot here is clear when senior military leaders note that adversary behavior changed “after 2013 when states began disrupting a series of networks within the United States” and then moved to destructive attacks in 2014 [1], without mentioning the potential correlation with the US–Israel covert Stuxnet attack on Iran (which became public in 2011) [78], the Snowden revelations of US capabilities and operations far more widespread than ever imagined (which started in 2013),13 and the digitally fueled revolutions of the Arab Spring (2011) and Euro Maidan in Ukraine (2013). Russian election interference may have been driven, in part, by Vladimir Putin’s belief that the leak and online release of the Panama Papers, detailing dirty money, was a US covert action aimed at “defaming Russia,” according to US intelligence, or even a “personal attack” on him and his cronies [79, 80]. Adversaries could suspect, with increasing confidence, that the USA was itself guilty of the same thing the USA now accuses them of: “continuous, nonviolent operations that produce cumulative, strategic impacts by eroding … military, economic, and political power without reaching a threshold that triggers an armed response” [1]. General Nakasone observes that “dictators …worried that their hold on power would be undermined by digital-age capabilities empowering civil society,” without going the next step. The existential fear of digitally driven regime change might cause dictators to see the USA as the bully that needs to be taught a lesson. America’s adversaries probably feel quite confident that they are striking back, not first. Put in stark terms, it is hard, in particular, to blame Iran if it felt the need to respond in kind to the Stuxnet attack. Very close US allies, as well as adversaries, felt that US cyber operations, as revealed by Edward Snowden, showed a lack of restraint. The US defense of the “golden age” of US espionage rested heavily on the legal arguments of espionage (“everyone does it”) rather than whether other nations might feel that red lines had been crossed or might respond in kind or escalate to stop the proposed US norms [81].14 These operations may be fully in USA and global interests but cannot be excluded from a thorough understanding of conflict dynamics and determination of appropriate counters. Jervis calls this the “‘Rashomon effect’ after the famous Japanese short story and movie” where adversaries “do not communicate well, and each participant sees the situations differently,” in line with their own worldview and predilections [82]. It becomes easy to assume those who do not share their own perspective must be acting out of bad faith or hostility. Adversaries may see US forward defense not as a reasonable response to their own norm-busting behavior but as an escalation. In his book The Cybersecurity Dilemma, Ben Buchanan examines these dynamics in detail [83]. The new strategy fails to address this obvious risk. Cyberspace is existentially important to all nations which cannot readily permit an enduring US superiority. Some adversaries and allies might theoretically accept a US forward defense but only if they trusted that the USA would not take advantage of the new equilibrium to engage in tactics such as widespread Internet surveillance or covert cyber actions. Unfortunately, with supremacy and overmatch in cyberspace the stated goals of the Department of Defense, Washington, DC is unlikely to take these measures off the table. Norms work better if they’re not seen as mutual, restraining both sides, and if they don’t change as a matter of whim or convenience. The USA has been inconsistent here, long insisting that its own espionage for geopolitical purposes was acceptable (and even stabilizing) then crying foul over similar behavior by China, claiming activity like the intrusion into OPM must be deterred. This would be less a mutually restraining “norm” than an asymmetric advantage to be imposed through power by one side on others. For persistent-engagement stability theory to bring equilibrium, adversaries need assurance that if they do adhere to US norms, they would not suffer some new (real or perceived) cyber insult from the USA. Amongst the reasons to believe this will not happen is that adversary operations that are within those norms should get a less aggressive response from the USA. As Max Smeets has written, “it is hard to see what exactly would be deemed as acceptable behavior” by the USA and there will be temptation to aggressively intercept and halt any potential attack on the homeland [68]. In addition, the DoD (and other US agencies, as will be explored in the next section) is bound to flex its new authorities regardless of the commitment of those adversaries to norms. These operations could well be perceived by as hostile actions and proof the USA is itself ignoring restraint. And when there is another Panama Papers-style leak, paranoid autocrats like Putin are unlikely to believe any US denial of involvement. Synchronization—coordinating a mutually beneficial solution—will be difficult. Forward defense may be destined to introduce more positive than negative feedback. The posture and organizational dynamics feedback loops also overlap in their effects. It is possible there is a positive feedback loop of policy isomorphism if the act of declaring an “offense is the best defense” posture (backed by perceived capability) shoves adversaries into adopting the same posture. It may be stabilizing if adversaries believe they cannot (or ought not) respond. It is likewise possible that as nations create commands to conduct offensive cyber operations, and delegate authority to conduct such operations, other nations will do the same. The global proliferation of cyber commands suggests some such dynamic, and China’s seems purpose-built to match or “supersede” US Cyber Command [84]. Once created, these military cyber commands may feel an organizational imperative to engage in offensive cyber operations, whether to justify budgets or respond to operational contact with adversaries. US forward defense might cause headwinds to adversary operations, only to see that counteracted by the tailwinds of additional resources flowing to adversary cyber commands using the US posture to justify their own larger budgets. For tacit bargaining to work smoothly, adversaries must be very sensitive to each other’s signals and each signal should ideally be well calibrated. Unfortunately, every action, even those that are considered routine operations, will send a signal. The Chinese may feel they are respecting the norms laid out by the Department of State, only to suffer deep intelligence intrusions from the National Security Agency into sensitive Communist Party networks, see US Cyber Command teams conduct operational preparation of the environment, and have the Department of Justice indict Chinese intelligence officers for hacking US critical infrastructure and military targets for purely geopolitical purposes. To the US side, these will seem routine and necessary actions, just following the normal procedures. But they will take on a life of their own once the personnel are trained, budgets approved, and teams organized. Those agencies may resist any suspension of such operations, partially justified out of concern that stopping them might signal US weakness. Persistent engagement requires a significant, perhaps even massive, shift in mindset, not just for US military and policymakers but those of Russia, China, Iran, and North Korea as well. To the traditional professional soldier, “the only proper end of war is military victory,” whether this is securing the unconditional surrender of Nazi Germany or Imperial Japan in World War Two, or ejecting Iraqi forces from Kuwait in 1991 [85]. Yet, this kind of victory, and the “decisive battles” which lead them, seem impossible in cyber conflict [86]. It is more likely that for as long as cyberspace exists, conflict will not end in lasting victory or defeat for any side, but rather be an endless ebb and flow of operations and campaigns marked by waxing and waning of competing national capabilities. The US military must resist the temptation to cross the Yalu River to deliver the fatal blow. If such a victory seems in sight, it must remove its boot from the adversary’s neck, because it is surely a mirage. Fischerkeller and Harknett have made this point, which is sometimes lost, that a “sustained advantage in persistent engagement should induce restraint on the part of the more effective state”, so that the losing state doesn’t “escalate out of agreed competition and rely on war or the threat of war to contain the loss of vital power” [76]. A modern nation cannot be permanently wiped from cyberspace nor can they afford to cede the domain permanently to any other nation. Aiming to do so carries a high chance of violent backlash. Especially if it does not offer immediate success, the nuance of the approach might easily be lost with more traditionally minded officers and policymakers, leaving a more simple (and brutal) remnant. The subtle strategies of Cold War containment by those like George Kennan did not long last the chest thumping aggression of those like General Curtis LeMay. If the US military cannot easily achieve both stability and superiority, then the military culture may revert to seeking stability through superiority. The new strategy is predicated on carefully calibrated subtlety over long periods of time, matched with a corresponding change in mindset by military and national security leaders; the risks of failure are significant. These dynamics are exacerbated by the feedback loop of emotion and cognitive biases. If an adversary is afraid of provoking a kinetic response or of challenging a rival in cyberspace, then emotion will dampen conflict. Indeed, this is much of the main argument for cyber deterrence: brandishing fearsome capabilities or letting adversaries know they will pay too high a penalty. As General Nakasone testified to senators, adversaries “don't fear us” a situation he concurred was “not good” [87]. But calibrating cyber signals in these ways to cause just enough fear, but not too much to cause a reaction, may be hard and there is not much supporting evidence the dynamics work this way [16]. Being on the receiving end of intimidating behavior or a cyber incident can incite strong emotional responses other than fear: anger and a gut-level desire for vengeance to inflict punishment for punishment’s sake. Not just norm-busting attacks but espionage might be perceived as a status challenge driving an emotional urge to righteously charge forward, not cautiously step back [88, 89]. Anger often leads to optimistic judgments, such as those about the value of retaliating [90], feeding the natural tendency of national security hawks, whose “preference for military action over diplomacy is often built upon the assumption that victory will come swiftly and easily” [91]. Constant concern that adversaries may have penetrated sensitive systems, even if only for espionage, can cause a “damaging sense of paranoia,” feeding the adversary’s own hawks [83], and “conflict often hardens attitudes and drives people to extreme positions” [9]. The US leadership has been confused about whether it wants to be threatening or not. Ed Wilson, the senior US cyber official at the Pentagon has maintained that “we’re not trying to be aggressive in behavior” [31],15 but Bolton confirmed a journalist’s question that “we're going to see more aggressive offense from the U.S. side … like retaliation” [7]. There is likely a significant blind spot in Washington DC to the emotional impact of adversaries and allies being on the receiving end of US forward defense, espionage, and operational preparation of the environment in cyberspace. Prospect theory further hints these effects will be exacerbated. After adversary capabilities and infrastructure are disrupted by US forward defense, they can be expected “to be relatively risk tolerant in their efforts to defend their latest gains, which they now see as a potential loss,” as was recently argued for nuclear deterrence [92]. In such situations, decision makers may be unwilling to accept the status quo as a new reference point, as expected under the new strategy. Risks to the larger system The third and last set of feedback loops are the impact of persistent engagement on the larger system of cybersecurity and cyberspace. Persistent presence may be incompatible with the overarching US policy to “promote an open, interoperable, reliable, and secure Internet that fosters efficiency, innovation, communication, and economic prosperity” [35]. The competing goals of stability and superiority may prove to be mutually exclusive. Lin and Smeets have conducted a simple but very effective scenario-based analysis to examine these trade-offs [93]. The USA has been here before when, prompted by the Snowden revelations US allies moved to create stronger European borders in cyberspace [94]. Engaging in hot pursuit of Russians into European infrastructure may not garner the thanks of grateful allies for liberating their systems from occupation. As Lisa Monaco, former White House advisor for homeland security, cautioned, “other countries may not see U.S. activity on their network as ‘defensive’” [95]. According to one DoD official, the new strategy will require the trust of US allies to permit (and hopefully support) such activities.16 Given the Trump administration’s willingness to challenge even the closest allies, this trust will be hard won. In a particularly striking phrase, Smeets has written that “U.S. Cyber Command’s mission to cause friction in adversaries’ freedom of maneuver in cyberspace may end up causing significant friction in allies’ trust and confidence.” [69]. This wariness towards US cyber tactics is not limited to foreigners, as Adam Segal has pointed out: “As story after story emerged alleging that the NSA undermined encryption, hacked into cables carrying the data of U.S. companies, placed implants and beacons in servers and routers, and generally weakened Internet security … [p]olicymakers failed to comprehend the depth of Silicon Valley’s anger” [94]. As with Russia’s election interference—at least partially in response to the release of the Panama Papers—there is a strong chance of horizontal escalation as cyber skirmishes expand into a larger information battle that splashed collateral damage through society. The strategy further ignores the impact on the rest of us. US Cyber Command mentions several of the most important dynamics that set cyberspace apart, such as disruptive technology and shifting terrain. But it does not adequately address that, unlike other warfighting domains, cyberspace is dominated by the private sector, civil society and individuals. In our private and professional lives, each of us uses the same technologies as America’s adversaries. Reduced operational constraints for US Cyber Command means, for example, keeping more Microsoft zero-day vulnerabilities, compromising more core Internet infrastructure, and more operations in the “grey space” of private property. The Cold War strategy of containment, Jacqueline Schneider has written, “was an articulation of what mattered to the long-term prosperity and success of the United States—something that persistent engagement needs,” not just to “to clearly prioritize the Defense Department’s limited cyber resources,” but also balance it with competing public policy priorities like creating an “open, interoperable, reliable, and secure cyberspace” [11]. Espionage in the Cold War did not affect Main Street, the town square, or the privacy of the bedroom. Cyber espionage can, by eroding trust in the underlying technologies used for commerce, society, and in our personal lives. By misunderstanding the impact of cyber espionage and elevating persistent engagement with adversaries to the “only” way of establishing norms, the Vision ignores significant knock-on risks. Going into cyber combat “toe to toe with the Roosskies”17 may indeed lead to victory, but how much of cyberspace will survive the war? The era of persistent engagement will change the Internet, perhaps fundamentally, with a broader impact that is difficult to predict. Into an era of persistent engagement There may be great advantages to the USA in following a strategy of persistent presence. But there are also opportunities for mistake, misperception, and miscalculation. Persistent engagement could also fail if the USA, as a technology-dependent democracy, is unable to play the game hard enough to apply negative feedback. In either case, the USA may only be able to establish stability through non-cyber responses or forgoing the goal of superiority. Fighting fire with fire might be viscerally satisfying but can be self-defeating if everyone is covered in gasoline and standing in the same knee-deep dry grass. For some international crises, all but the most extreme hawks acknowledge that there may be no military solution. If persistent engagement leads to positive feedback, amplifying rather than dampening the response from adversaries, the USA may have to accept that this is one of those situations. All systems marked by positive feedback “are characterized by a self-impelled ‘switch’ or discontinuity between two extreme states” [96]. There is no “balance” and the system cannot, in the long-term, be “managed.” It may be that the Internet’s only stable states are (1) the original, mostly open and resilient model with mild attacks and few predators and (2) a free-for-all where “secure and reliable access to the global network is no longer a global right but a luxury good” and “cyber offense is no longer just better than defense, it is unbeatable” [97]. Cyberspace would no longer be merely the Wild West, but Somalia. Perhaps the imperatives of the new US Cyber Command Vision are the right ones, perhaps not. The risks discussed here may or may not turn out to be major concerns. No one—not US Cyber Command, a researcher in academia, or anyone else—can possibly know what comes next. What works with Russia, a declining power trying to regain global importance, may not work with a rising China. The nation’s response to a cyberspace of persistent engagement be an experiment: Try something. Measure what works. Abandon what doesn’t. Repeat. This leads to hard tasks for both policymakers and researchers alike. Policymakers should insist that further support for persistent engagement is dependent on four conditions. (1) Criteria and timeline for success: US Cyber Command asserts that more agility will increase adversaries’ costs and steer them back towards global norms. How long will that take, and how will we know progress when we see it? (2) Criteria for failure: US Cyber Command should likewise provide specific criteria for measuring whether forward defense is failing to work. This needs to be directly addressed, as it is natural to overemphasize sunk costs and be over-optimistic about chances of success while ignoring clear indicators of failure. A separate paper, co-authored with Neil Jenkins, has just been published with a framework to track whether the new policies are succeeding or failing, dissuading or inciting attacks.18 (3) Political throttle: If the US president is meeting a foreign counterpart, the NSC should be aware of current cyber operations and even develop options to slow down (or speed up) such operations to send diplomatic signals and reduce the chances of a mistake. (4) Sunset: Authorizations to allow more agility should have a specific date when they expire—perhaps one year—to give policymakers a chance to review the results. Without these conditions, it is too likely that some future cyber general will echo what seems a constant refrain other US forever wars: “We’re turning the corner in Iraq/Afghanistan/cyberspace. We have the right strategy we just need more resources and fewer constraints to using our power.” Persistent engagement will place military and intelligence forces in close contact, actively contending with each other. If this dynamic isn’t to spiral out of control, there must be military-to-military hotlines and diplomatic mechanisms to reduce the chances of miscalculation. The current gap between subtle strategies and fiery rhetoric threatens the process of “tacit bargaining” and could lead to the failure of the strategy. Which strategy is Putin and Xi likely to believe, the cautious one advanced by the operational commander, or the more aggressive one being pushed from the White House? The realization that cyber forces are in constant contact is certainly correct and persistent engagement is a reasonable response. But the power of the theory rests heavily on the nature of engagement between participants, so much so that there is only one response, a technologically determined dominant strategy: defending forward in close contact with adversaries to intercept and halt their operations with few restraints. If this holds true generally, and not just for the USA, then any nation, almost regardless of their preferred policy goals would be forced by the same necessities to make identical moves. The dominant strategy for the USA might the dominant strategy with explosive consequences. Moreover, if adversaries do not reduce their attacks, for any reason, the theory offers little advice other to defend forward harder. If the strategy isn’t succeeding, then US cyber forces must still have too many restraints, or are not causing enough friction, or not holding targets at risk for deterrent attacks. Persistent-engagement stability theory seems brittle: if the basic correlations are falsified—if forward defense causes more positive than negative feedback or is just incredibly difficult to pull off correctly (as with counter-insurgency operations)—the entire theory could collapse, taking very useful scholarship with it (as with counter-insurgency theory). Accordingly, future research should flip the cart/horse relationship to explore a theory of “stability-enhancing engagement,” which would begin with the desired end-state of strategic stability and work backwards through a more complete set of ways and means. These would include diplomacy, shifting the dynamics of cyberspace so that defenders have far more advantages than today, and yes, some role for defending forward. Stability-enhancing engagement theory might also shift more emphasis towards escalation control, not least the role of “exit ramps” to reduce tensions if cyber conflict gets too hot and “firebreaks” between the use of cyber and kinetic force. Stability-enhancing engagement theory must also more deeply explore feedback loops and how these may interact to create unintended consequences; their impact to enhance or degrade both national power and crisis stability; and how these dynamics might differ with China, Russia, Iran, and North Korea. Just as important is developing a theory of communication which includes the full range of tacit bargaining, deterrence, signaling, and diplomacy. Persistent engagement has similarities to other examples of where military and intelligence forces of the two blocs during the Cold War were in routine belligerent contact. Joe Nye suggests exploring one parallel, as “the US and the Soviet Union negotiated an Incidents at Sea Agreement in 1972 to limit naval behavior that might lead to escalation” [98]. Additional examples include anti-submarine warfare, espionage-counterespionage, freedom-of-navigation operations, and intelligence, surveillance, and “exciter” flights against each other’s homelands. More broadly, researchers must expand their focus beyond the US context. For example, how will persistent engagement affect dynamics between China and Taiwan, or those between India and Pakistan? Is persistent engagement, as argue, really an imperative? Even if it is, is it an imperative that leads to success or is better to just not play the game? This is not just constant contact, but a new and highly risk forever war, and we must all be ready for it. Funding This work was supported by the Office of Naval Research under the OSD Minerva program [grant number N00014-17-1-2423]. Footnotes 1 Author’s experience as US Air Force staff officer creating the unit. 2 Author’s experience in the White House in 2003–2005 and discussion with the then-NSC official responsible for NSPD 38, 22 August 2018. 3 Author’s discussion with former NSC official involved in coordination of PPD-20, 24 September 2018. 4 Trey Herr in discussion with author, Atlantic Council, 17 July 2019. 5 Quoting Gregg Kendrick, Marine Corps Forces Cyberspace Command. 6 Quoting Lt Gen Vincent Stewart, US Cyber Command. 7 Author’s personal conversation with former senior DoD policy official, 13 December 2019. 8 Quoting Garret Harden. 9 Discussion with James Clapper, Peter Clement, and Jason Healey, Columbia University, 21 February 2019. 10 From author’s experience in discussions with Chinese officials. 11 Quoting Dr Emily Goldman. 12 Emails from Joe Nye to Jason Healey, 6 and 14 March 2019. 13 For example, see Lawfare’s catalog of the many revelations at https://www.lawfareblog.com/snowden-revelations. 14 Quoting General Michael Hayden. 15 Quoting Burke “Ed” Wilson, Deputy Assistant Secretary of Defense for Cyber Policy. 16 Conversation with author, Arlington, Virginia, 17 July 2019. 17 B-52 Pilot Major Kong to his crew in ‘Dr. Strangelove or: How I Learned to Stop Worrying and Love the Bomb’. Film. 1964. 18 Initial results were presented by Jason Healey and Neil Jenkins at CyberWarCon 2018, 28 November 2018, https://www.youtube.com/watch?v=cp0rjgEpWEw. A more detailed paper is forthcoming. Acknowledgments Dr Brandon Valeriano provided useful suggestions and encouragement. Dr Michael Fischerkeller, Dr Emily Goldman, and Dr Richard Harknett spent considerable time patiently explaining their writings. The concepts in this article were shaped by many conversations around the lunch table at the Saltzman Institute of War and Peace Studies, especially with Dr Robert Jervis and Dr Richard Betts. My thanks to Stanford University’s Center for International Security and Cooperation—especially Dr Herb Lin and Dr Max Smeets—for a workshop in March 2019 to refine the article. Jennifer Gennaro, Divyam Nandrajog, Augusta Gronquist, and Virpratap Vikram Singh of SIPA provided research and editing support. References 1 Joint Forces Quarterly An Interview with Paul M. Nakasone . Joint Forces Quarterly 2019 ; 92 : 4 – 9 . https://ndupress.ndu.edu/Portals/68/Documents/jfq/jfq-92/jfq-92.pdf (July 31 2019, date last accessed). WorldCat 2 Nakasone PM. A cyber force for persistent operations . Joint Forces Quart 2019 ; 92 :https://ndupress.ndu.edu/Portals/68/Documents/jfq/jfq-92/jfq-92.pdf (July 31 2019, date last accessed). WorldCat 3 U.S. Cyber Command . Achieve and Maintain Cyberspace Superiority: Command Vision for U.S. Cyber Command. 23 March 2018 . https://assets.documentcloud.org/documents/4419681/Command-Vision-for-USCYBERCOM-23-Mar-18.pdf (July 31 2019, date last accessed). 4 Department of Defense . Cyber Strategy 2018 2018 ;1: 4 . https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF (July 31 2019, date last accessed). 5 Nakasone PM. Keynote - Sept. 6, 2018. Billington CyberSecurity. 2018 . https://www.youtube.com/watch?v=uUjWVvBiWPo&feature=youtu.be (at 17: 44 mins) (July 31 2019, date last accessed). 6 Fischekeller MP , Harknett RJ. What is agreed competition in cyberspace? Lawfare, 19 February 2019 . https://www.lawfareblog.com/what-agreed-competition-cyberspace (July 31 2019, date last accessed). 7 The White House . Transcript: White House Press briefing on national cyber strategy - Sept. 20, 2018 . The White House , 2018 ; https://news.grabien.com/making-transcript-white-house-press-briefing-national-cyber-strateg (July 31 2019, date last accessed). WorldCat 8 Pence M. Remarks By Vice President Pence at The DHS Cybersecurity Summit. The White House. 31 January 2018 . https://www.whitehouse.gov/briefings-statements/remarks-vice-president-pence-dhs-cybersecurity-summit/ (July 31 2019, date last accessed). 9 Jervis R. System Effects: Complexity in Political and Social Life . Princeton, NJ : Princeton University Press , 1998 . Google Preview WorldCat COPAC 10 Lachow I. Active Cyber Defense: A Framework for Policymakers . Center for a New American Security , February 2013 . WorldCat 11 Schneider JG. Persistent Engagement: Foundation, Evolution and Evaluation of a Strategy. Lawfare. 10 May 2019 . https://www.lawfareblog.com/persistent-engagement-foundation-evolution-and-evaluation-strategy (July 31 2019, date last accessed). 12 Department of Defense , Defense Science Board . Task Force On Information Warfare - Defense (IW-D)., 25 November 1996 . http://www.au.af.mil/au/awc/awcgate/infowar/iwd/iwdmain.htm (July 31 2019, date last accessed). 13 Healey J. (ed.). A Fierce Domain: Conflict in Cyberspace 1986–2012 . Arlington, VA : Cyber Conflict Studies Association (CCSA), 2013 . Google Preview WorldCat COPAC 14 Lynn WJ. III , Defending a new domain . Foreign Affair 2010 ; 89 : https://www.foreignaffairs.com/articles/united-states/2010-09-01/defending-new-domain (July 31 2019, date last accessed). WorldCat 15 Department of Defense . Department of Defense Strategy for Operating in Cyberspace., July 2011 . https://csrc.nist.gov/CSRC/media/Projects/ISPAB/documents/DOD-Strategy-for-Operating-in-Cyberspace.pdf (July 31 2019, date last accessed). 16 Owens WA , Dam KW , Lin HS. Technology, Policy, Law, and Ethics regarding U.S. Acquisition and Use of Cyberattack Capabilities . Washington, DC : National Research Council , 2009 , 170 . Google Preview WorldCat COPAC 17 Department of Defense . Joint Publication 3-12: Cyberspace Operations. 2018 : II-4, II-5, II-6. https://fas.org/irp/doddir/dod/jp3_12.pdf (July 31 2019, date last accessed). 18 Graham B. Bush Orders Guidelines for Cyber-Warfare. The Washington Post. 7 February 2003 . https://www.washingtonpost.com/archive/politics/2003/02/07/bush-orders-guidelines-for-cyber-warfare/dd8b4a18-140c-4690-88a5-0041d4ce1b1c/? utm_term=.ceaefde60847 (July 31 2019, date last accessed). 19 Nakashima E. Pentagon proposes more robust role for its cyber-specialists. The Washington Post. 9 August 2012 . https://www.washingtonpost.com/world/national-security/pentagon-proposes-more-robust-role-for-its-cyber-specialists/2012/08/09/1e3478ca-db15-11e1-9745-d9ae6098d493_story.html? utm_term=.518dc22f5ec7 (July 31 2019, date last accessed). 20 The White House . Fact Sheet on Presidential Policy Directive 20 . The White House 2013 ; https://www.epic.org/privacy/cybersecurity/Pres-Policy-Dir-20-FactSheet.pdf (July 31 2019, date last accessed). WorldCat 21 The White House . Presidential Policy Directive – Signals Intelligence Activities. The White House. 17 January 2014 . https://obamawhitehouse.archives.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activities (July 31 2019, date last accessed). 22 General Paul Nakasone . Stenographic Transcript of Testimony Before the Committee on Armed Services. Subcommittee on Cybersecurity, U.S. Senate Hearing to Receive Testimony on the Cyber Posture of the Services 13 March 2018 : 10 . https://www.armed-services.senate.gov/imo/media/doc/18-25_03-13-18.pdf (July 31 2019, date last accessed). 23 Chesney R. Should interagency vetting of defense department cyber operations be reduced?. Lawfare. 4 May 2018 . https://www.lawfareblog.com/should-interagency-vetting-defense-department-cyber-operations-be-reduced (July 31 2019, date last accessed). 24 Pomerleau M. Cyber needs change quickly, cyber policies have not. Fifth Domain. 14 March 2018. https://www.fifthdomain.com/dod/2018/03/14/cyber-needs-change-quickly-cyber-policies-have-not/ (July 31 2019, date last accessed). 25 Pomerleau M. New leader wants cyber command to be more aggressive. Fifth Domain. 23 July 2018 . https://www.fifthdomain.com/dod/cybercom/2018/07/23/new-leader-wants-cyber-command-to-be-more-aggressive/ (July 31 2019, date last accessed). 26 Carter A. A Lasting Defeat: The Campaign to Destroy ISIS. Belfer Center for Science and International Affairs, Harvard Kennedy School, October 2017 . https://www.belfercenter.org/LastingDefeat (July 31 2019, date last accessed). 27 Bing C. Trump Administration May Throw Out PPD-20, The Approval Process For Cyber Warfare. CyberScoop. 2 May 2018 . https://www.cyberscoop.com/ppd-20-white-house-national-security-council-cyber-warfare-tactics/ (July 31 2019, date last accessed). 28 Nakashima E. White House Authorizes ‘Offensive Cyber Operations’ to Deter Foreign Adversaries. The Washington Post. 20 September 2018 . https://www.washingtonpost.com/world/national-security/trump-authorizes-offensive-cyber-operations-to-deter-foreign-adversaries-bolton-says/2018/09/20/b5880578-bd0b-11e8-b7d2-0773aa1e33da_story.html? utm_term=.e38a8ca5c978 (July 31 2019, date last accessed). 29 Chesney R , Lin H , Smeets M. Unpublished Proposal 2019 ; 30 U.S. House of Representatives . John S. McCain National Defense Authorization Act for Fiscal Year 2019. 2018 ; 1269 . Section 1632. https://docs.house.gov/billsthisweek/20180723/CRPT-115hrpt863.pdf (July 31 2019, date last accessed). 31 Pomerleau M. Is Cyber Command Really being more ‘Aggressive’ in Cyberspace?. Fifth Domain. 25 April 2019 . https://www.fifthdomain.com/dod/2019/04/25/is-cyber-command-really-being-more-aggressive-in-cyberspace/ (July 31 2019, date last accessed). 32 Pomerleau M. Defense Officials Taking Advantage Of New Cyber Authorities. Fifth Domain. 27 November 2018 . https://www.fifthdomain.com/dod/cybercom/2018/11/27/defense-officials-taking-advantage-of-new-cyber-authorities/ (July 31 2019, date last accessed). 33 Department of Defense , Defense Science Board . Task Force on Cyber Deterrence . 28 February 2017 ; 3 : 7 . https://www.acq.osd.mil/dsb/reports/2010s/DSB-cyberDeterrenceReport_02-28-17_Final.pdf (July 31 2019, date last accessed); author served on this task force. WorldCat 34 The White House . National Strategy to Secure Cyberspace. February 2003 . https://georgewbush-whitehouse.archives.gov/pcipb/. Accessible at https://www.us-cert.gov/sites/default/files/publications/cyberspace_strategy.pdf (July 31 2019, date last accessed). 35 Office of the Chairman of the Joint Chiefs of Staff . National Military Strategy for Cyberspace Operations . Homeland Security Digital Library 2006 ; 13 . https://www.hsdl.org/? abstract&did=35693 (July 31 2019, date last accessed). WorldCat 36 The White House, National Security Presidential Directive 54/Homeland Security Presidential Directive 23. The White House. 8 January 2008 . https://fas.org/irp/offdocs/nspd/nspd-54.pdf (July 31 2019, date last accessed). 37 The White House . Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. 11 May 2017 . https://www.whitehouse.gov/presidential-actions/presidential-executive-order-strengthening-cybersecurity-federal-networks-critical-infrastructure/ (July 31 2019, date last accessed). 38 The White House . National Cyber Strategy 1 August 2018 ; 20 - 21 . https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf (July 31 2019, date last accessed). 39 Libicki MC. Cyberdeterrence and Cyberwar . Santa Monica, CA : Rand Corporation , 2009 : xix. https://www.rand.org/content/dam/rand/pubs/monographs/2009/RAND_MG877.pdf (July 31 2019, date last accessed). Google Preview WorldCat COPAC 40 Valeriano B , Jensen B , Maness RC. Cyber Strategy: The Evolving Character of Power and Coercion . New York : Oxford University Press , 2018 : 7 . Google Preview WorldCat COPAC 41 Gartzke E , Lindsay JR. Weaving Tangled Webs: offense, Defense, and Deception in Cyberspace . Security Studies 2015 ; 24 : 316 – 348 . http://deterrence.ucsd.edu/_files/Weaving%20Tangled%20Webs_%20Offense%20Defense%20and%20Deception%20in%20Cyberspace.pdf (July 31 2019, date last accessed). Google Scholar Crossref Search ADS WorldCat 42 Elliott D. Deterring Strategic Cyberattack . IEEE Security & Privacy 2011 ; 9 :36–40. https://ieeexplore.ieee.org/document/5719592 (July 31 2019, date last accessed). WorldCat 43 Morgan PM. Applicability of traditional deterrence concepts and theory to the cyber realm. In: Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy. Washington, DC: The National Academies Press, 2010 . https://www.nap.edu/read/12997/chapter/7 (July 31 2019, date last accessed). 44 Jervis R. Some thoughts on deterrence in the cyber era . J. Inform. Warfare 2016 ; 15 : https://www.jinfowar.com/journal/volume-15-issue-2/some-thoughts-deterrence-cyber-era (July 31 2019, date last accessed). WorldCat 45 Sulmeyer MH. The U.S. can play cyber-offense. Foreign Affairs, 22 March 2018 . https://www.foreignaffairs.com/articles/world/2018-03-22/how-us-can-play-cyber-offense (July 31 2019, date last accessed). 46 Nye JS. Jr Deterrence and dissuasion in cyberspace . Int Security 2017 ; 41 : 3 . Google Scholar Crossref Search ADS WorldCat 47 Harknett RJ , Nye JS. Jr. Harknett’s response to Nye: Is deterrence possible in cyberspace? Int Security 2017 ; 42 : 196 . Google Scholar Crossref Search ADS WorldCat 48 Healey J. Cyber deterrence is working, so far. Cipher Brief. 23 July 2017 . https://www.thecipherbrief.com/cyber-deterrence-is-working-so-far (July 31 2019, date last accessed). 49 Healey J. Not the cyber deterrence the United States wants. Council on Foreign Relations, 11 June 2018 . https://www.cfr.org/blog/not-cyber-deterrence-united-states-wants (July 31 2019, date last accessed). 50 The White House . Remarks by the President in year-end press conference. The White House, 19 December 2014 . https://obamawhitehouse.archives.gov/the-press-office/2014/12/19/remarks-president-year-end-press-conference (July 31 2019, date last accessed). 51 The White House . Statement from the press secretary. The White House, 2018 . https://www.whitehouse.gov/briefings-statements/statement-press-secretary-25/ (July 31 2019, date last accessed). 52 Franceschi-Bicchierai L. How the FBI took down the botnet designed to be ‘impossible’ to take down. Motherboard, 12 August 2015 . https://motherboard.vice.com/en_us/article/539xy5/how-the-fbi-took-down-the-botnet-designed-to-be-impossible-to-take-down (July 31 2019, date last accessed). 53 Harknett RJ , Goldman E. The search for cyber fundamentals . J. Inform. Warfare 2016 ; 15 :https://www.jinfowar.com/journal/volume-15-issue-2/search-cyber-fundamentals (Emphasis in original) (July 31 2019, date last accessed). WorldCat 54 Fischerkeller MP , Harknett RJ. Deterrence is not a credible strategy for cyberspace . Orbis 2017 ; 61 : 381 – 393 . https://www.sciencedirect.com/science/article/pii/S0030438717300431 (Emphasis added) (July 31 2019, date last accessed). Google Scholar Crossref Search ADS WorldCat 55 Harknett RJ. United States cyber command’s new vision: what it entails and why it matters. Lawfare, 23 March 2018 . https://www.lawfareblog.com/united-states-cyber-commands-new-vision-what-it-entails-and-why-it-matters (July 31 2019, date last accessed). 56 Lt Gen Vincent Stewart . Keynote address. CyCon U.S., 18 December 2018 . https://cyber.army.mil/Events/CyCON-US/Article/1716745/lt-gen-vincent-stewart-deputy-commander-us-cyber-command/ (July 31 2019, date last accessed). 57 Fischerkeller MP , Harknett RJ. Persistent engagement and tacit bargaining: a path toward constructing norms in cyberspace. Lawfare, 9 November 2018 . https://www.lawfareblog.com/persistent-engagement-and-tacit-bargaining-path-toward-constructing-norms-cyberspace (July 31 2019, date last accessed). 58 From Jack Snyder, workshop at Columbia University, 18 April 2019 59 Nakashima E , DeYoung K. Trump administration hits Iranian Hacker network with sanctions, indictments in vast global campaign. The Washington Post, 23 March 2018 . https://www.washingtonpost.com/world/national-security/trump-administration-hits-iranian-hacker-network-with-sanctions-indictments-in-vast-global-campaign/2018/03/23/4481721c-2e16-11e8-8688-e053ba58f1e4_story.html? utm_term=.6feeafff2fe6 (July 31 2019, date last accessed). 60 Greenberg A. The White House blames Russia For NotPetya, the ‘most costly cyberattack in history’. WIRED, 15 February 2018 . https://www.wired.com/story/white-house-russia-notpetya-attribution/ (July 31 2019, date last accessed). 61 The White House . Press briefing on the attribution of the wannacry malware attack to North Korea. The White House, 19 December 2017 . https://www.whitehouse.gov/briefings-statements/press-briefing-on-the-attribution-of-the-wannacry-malware-attack-to-north-korea-121917/ (July 31 2019, date last accessed). 62 Lyngaas S. U.S. announces disruption of ‘Joanap’ Botnet linked with North Korea. CyberScoop, 30 January 2019 . https://www.cyberscoop.com/joanap-botnet-north-korea-department-of-justice/ (July 31 2019, date last accessed). 63 Betts RK. Soldiers, Statesmen, and Cold War Crises . New York : Harvard University Press , 1977 , 76 . Google Preview WorldCat COPAC 64 Kennedy P. Strategy and Diplomacy 1870-1945 . Fontana Press , 1989 , 129–62. Google Preview WorldCat COPAC 65 Lin H , Smeets M. What is absent from the U.S. cyber command ‘vision’. Lawfare, 3 May 2018 . https://www.lawfareblog.com/what-absent-us-cyber-command-vision (July 31 2019, date last accessed). 66 Baker S. Four principles to guide the US response to cyberattacks. Fifth Domain, 7 February 2019 . https://www.fifthdomain.com/thought-leadership/2019/02/07/four-principles-to-guide-the-us-response-to-cyberattacks/ (July 31 2019, date last accessed). 67 Healey J. The Cartwright Conjecture: The Deterrent Value and Escalatory Risk of Fearsome Cyber Capabilities. In: Bytes, Bombs and Spies: The Strategic Dimensions of Offensive Cyber Operations . Washington, DC : Brookings Institution Press , 2019 . Google Preview WorldCat COPAC 68 Smeets M. There are too many red lines in cyberspace. Lawfare, 20 March 2019 . https://www.lawfareblog.com/there-are-too-many-red-lines-cyberspace (July 31 2019, date last accessed). 69 Smeets M. Cyber command’s strategy risks friction with allies. Lawfare, 28 May 2019 . https://www.lawfareblog.com/cyber-commands-strategy-risks-friction-allies (July 31 2019, date last accessed). 70 Healey J. US Cyber Command: "When Faced With A Bully. hit Him Harder." The Cipher Brief . 26 February 2018 . https://www.thecipherbrief.com/column_article/us-cyber-command-faced-bully-hit-harder (July 31 2019, date last accessed). WorldCat 71 Nakashima E. New details emerge about 2014 Russian hack of the State Department: It was ‘hand to hand combat’. The Washington Post, 3 April 2017 . https://www.washingtonpost.com/world/national-security/new-details-emerge-about-2014-russian-hack-of-the-state-department-it-was-hand-to-hand-combat/2017/04/03/d89168e0-124c-11e7-833c-503e1f6394c9_story.html? utm_term=.e1331b07d929 (July 31 2019, date last accessed). 72 Secretary of the Navy. Cybersecurity Readiness Review, March 2019 . https://www.navy.mil/strategic/CyberSecurityReview.pdf (July 31 2019, date last accessed). 73 Gallagher S. US, Russia to install “cyber-hotline” to prevent accidental cyberwar. Ars Technica, 18 June 2013 . https://arstechnica.com/information-technology/2013/06/us-russia-to-install-cyber-hotline-to-prevent-accidental-cyberwar/ (July 31 2019, date last accessed). 74 Sanger DE , Perlroth N. U.S. escalates online attacks on Russia’s power grid. The New York Times, 15 June 2019 . https://www.nytimes.com/2019/06/15/us/politics/trump-cyber-russia-grid.html (July 31 2019, date last accessed). 75 Rogers M. Statement of admiral Michael S. Rogers commander United States cyber command before the senate armed services committee. 19 March 2015 . https://fas.org/irp/congress/2015_hr/031915rogers.pdf (July 31 2019, date last accessed). 76 Fischerkeller MP , Harknett RJ. Through persistent engagement, the U.S. can influence ‘agreed competition’. Lawfare, 15 April 2019 . https://www.lawfareblog.com/through-persistent-engagement-us-can-influence-agreed-competition (July 31 2019, date last accessed). 77 Tucker P. NSA-Cyber command chief recommends no split until 2020: Sources. Defense One, 6 March 2019 . https://www.defenseone.com/technology/2019/03/nsa-cyber-command-chief-recommend-no-split-until-2020/155345/ (July 31 2019, date last accessed). 78 Zetter K. Countdown to Zero Day . New York: Crown, 2014 . WorldCat 79 The Office of the Director of National Intelligence . Intelligence Report On Russian Hacking. The New York Times, 6 January 2017 . https://www.nytimes.com/interactive/2017/01/06/us/politics/document-russia-hacking-report-intelligence-agencies.html? module=inline (July 31 2019, date last accessed). 80 Taylor A. Putin saw the Panama Papers as a personal attack and may have wanted revenge, Russian authors say. The Washington Post, 28 August 2017 . https://www.washingtonpost.com/news/worldviews/wp/2017/08/28/putin-saw-the-panama-papers-as-a-personal-attack-and-may-have-wanted-revenge-russian-authors-say/? utm_term=.051af152f093 (July 31 2019, date last accessed). 81 Westmont Magazine . The consequences of disruption: current threats to U.S. security. Westmont Magazine, 2018 . https://blogs.westmont.edu/magazine/2018/05/18/the-consequences-of-disruption-current-threats-to-u-s-security-former-intelligence-chief-michael-hayden-offers-his-perspective-on-world-affairs/ (July 31 2019, date last accessed). 82 Jervis R. How Statesmen Think: The Psychology of International Politics . Princeton, NJ : Princeton University Press , 2017 , 6 . Google Preview WorldCat COPAC 83 Buchanan B. The Cybersecurity Dilemma: Hacking, Trust, and Fear between Nations . Oxford University Press , 2016 , 15 Google Preview WorldCat COPAC 84 Bing C. China’s cyber command is being built to supersede its U.S. military counterpart. CyberScoop, 22 June 2017 . https://www.cyberscoop.com/china-ssf-cyber-command-strategic-support-force-pla-nsa-dod/ (July 31 2019, date last accessed). 85 Huntington SP. The Soldier and the State: The Theory and Politics of Civil-Military Relations . Harvard University Press , 1957 (renewed 1985), 389 . Google Preview WorldCat COPAC 86 Valeriano B , Jensen B. The myth of the cyber offense: the case for restraint. Cato Institute, 15 January 2019 . https://www.cato.org/publications/policy-analysis/myth-cyber-offense-case-restraint (July 31 2019, date last accessed). 87 Baldor LC. Gen. Nakasone: China, Russia don’t fear US cyber retaliation. Stars and Stripes, 2 March 2018 . https://www.stripes.com/news/gen-nakasone-china-russia-don-t-fear-us-cyber-retaliation-1.514661 (July 31 2019, date last accessed). 88 McDermott R , Lopez AC , Hatami PK. ‘Blunt Not the Heart, Enrage It’: The Psychology of Revenge and Deterrence . Texas National Security Review 2017 ; 1 , DOI: 10.15781/T2RR1Q41T. WorldCat 89 McDermott R. Emotional Dynamics of Cyber Conflict. forthcoming. 90 McDermott R. The feeling of rationality: the meaning of neuroscientific advances for political science . Persp Pol 2004 ; 2 :691–606. WorldCat 91 Kahneman D , Renshon J. Why hawks win. Foreign Policy, 13 October 2009 . https://foreignpolicy.com/2009/10/13/why-hawks-win/ (July 31 2019, date last accessed). 92 Krepinevich AF. Jr. The eroding balance of terror . Foreign Affairs 2019 ; 98 : 69 . https://www.foreignaffairs.com/articles/2018-12-11/eroding-balance-terror (July 31 2019, date last accessed). WorldCat 93 Smeets M , Lin H. A Strategic Assessment of the U.S. Cyber Command Vision. In: Lin H , Zegart A (eds) Bytes, Bombs and Spies: The Strategic Dimensions of Offensive Cyber Operations . Washington, DC: Brookings Institution Press , 2019 . Google Preview WorldCat COPAC 94 Segal A. The Internet is undermining America’s power. Time, 22 February 2016 . http://time.com/4227841/internet-american-power/ (July 31 2019, date last accessed). 95 Uchill J. How cyber’s forward defense could backfire. Axios, 19 June 2018 . https://www.axios.com/how-cybers-forward-defense-could-backfire-abeb6e61-532d-437d-a03b-06b5785e570c.html (July 31 2019, date last accessed). 96 Gosling W. Helmsmen and heroes: control theory as a key to past and present . London: Weidenfeld & Nicolson , 1994 . WorldCat 97 Healey J. Risk nexus: overcome by cyber risks . Atlantic Council 2015 ; https://publications.atlanticcouncil.org/cyberrisks/risk-nexus-september-2015-overcome-by-cyber-risks.pdf (July 31 2019, date last accessed). WorldCat 98 Nye JS Jr. Rules of the cyber road for America and Russia. Project Syndicate, 5 March 2019. https://www.project-syndicate.org/commentary/cyber-rules-for-america-and-russia-by-joseph-s--nye-2019-03 (July 31 2019, date last accessed). © The Author(s) 2019. Published by Oxford University Press. This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted reuse, distribution, and reproduction in any medium, provided the original work is properly cited.
TI - The implications of persistent (and permanent) engagement in cyberspace
JF - Journal of Cybersecurity
DO - 10.1093/cybsec/tyz008
DA - 2019-01-01
UR - https://www.deepdyve.com/lp/oxford-university-press/the-implications-of-persistent-and-permanent-engagement-in-cyberspace-bbYYVsrmV2
VL - 5
IS - 1
DP - DeepDyve
ER -