Editor’s note: This article is the second in a series, “Full-Spectrum: Capabilities and Authorities in Cyber and the Information Environment.” The series endeavors to present expert commentary on diverse issues surrounding US competition with peer and near-peer competitors in the cyber and information spaces. Read all articles in the series here.
Special thanks to series editors Capt. Maggie Smith, PhD of the Army Cyber Institute and MWI fellow Dr. Barnett S. Koven.
International affairs are already hard enough to unpack, less like chess or poker than the classic Japanese film (and short story) Rashomon, in which each of the participants have a widely differing view of even the most basic facts.
This Rashomon effect is even more acute in cyber conflict where each participant hides their offensive and espionage operations not just from their adversaries, but also from their own people, with implications for both democracy and stability in cyberspace. Neither the highest level of decision makers, nor their security apparatuses, have better than a murky and incomplete picture of cause and effect, which they spin for security, political, or bureaucratic advantage.
Murkiness and spin have a pernicious impact on both cyber conflict and democracy.
It’s Not Me, It’s You
In the HBO documentary The Perfect Weapon, based on New York Times journalist David Sanger’s book of the same title, Sanger and others highlight the unprecedented role of Stuxnet, the joint US-Israeli attack on Iran’s nuclear enrichment capability, in worsening cyber conflict. General Michael Hayden, former director of both the National Security Agency (NSA) and the Central Intelligence Agency (CIA), agreed, observing at the time that “somebody has crossed the Rubicon.”
When General Keith Alexander, General Hayden’s successor at NSA, was later asked about Stuxnet, he dismissed it, instead claiming that the new age of cyber warfare began with Iran’s Shamoon attack, which hit Saudi Aramco and Rasgas of Qatar with a “virus that infected the hard drives of over 30,000 computers” in 2012.
General Alexander raised Shamoon to deliberately sidestep the interviewer’s suggestion that Stuxnet defined a new era of cyber warfare: forget what we did to them first, let’s focus on what they did to us. He further ignored how only a few months before Shamoon, Iran suffered a similar attack targeting its own energy industry.
The malware, known as Wiper, “bore remarkable technical similarities to Stuxnet” and other attacks linked to the United States or Israel, according to Ben Buchanan in The Hacker and the State. General Alexander’s own agency acknowledged in a classified memo that Iran, having learned lessons from being on the receiving end of Wiper, followed with its own, Shamoon attack.
For years, General Alexander has repeated the charge of the damage to more than “30,000 computers” in speeches and congressional testimony, without hinting that the NSA knew Iran was hitting back, not striking first, in a symmetric (though perhaps disproportionate) retaliation to an attack likely from the United States, Israel, or both.
However, Iran is not the only case study. CIA appears to have new authorities to conduct covert actions against Russia as well, including using cyber capabilities for hack-and-dump operations. Such operations can lead to tit-for-tat responses. Vladimir Putin believed the release of the Panama Papers was a “US-directed [effort] to defame Russia,” which was a likely reason he interfered in the 2016 elections: Russia wanted to “discredit the image of the United States,” according to the US intelligence assessment.
Recent adversary operations against the United States may have been a response to unknown CIA covert actions. Given past US silence over Shamoon and Stuxnet, the US government will keep quiet about any offensive US activities to focus its public relations efforts on the inbound fire from adversaries.
The current commander of US Cyber Command (USCYBERCOM), General Paul Nakasone, might have more accurately framed the problem this way by saying that the early US cyber advantage—the “golden age” of US espionage—is not just over but has backfired and we must respond. Instead, he joins the chorus of complaints that adversaries “are actively in our network communications, attempting to steal data and impact our weapons systems,” ignoring that in his other role, as the director of the National Security Agency, he and his predecessors have been routinely conducting those same actions against US adversaries.
Iran and other adversaries will not be impressed with General Nakasone’s charge that cyberspace allows one side to, “gain strategic advantage through competition without triggering armed conflict”—he adds that “our adversaries have learned this and are leveraging it against us”—as if the United States were somehow late to the cyber game or is now being unfairly picked on by bullies in the internet schoolyard.
America’s approach has long depended on technology to passively or actively undermine adversaries, a tactic that may be justified, but is also likely to explain some of the responding behavior. As highlighted by Justin Canfil and Trey Herr, then-US Secretary of State George Shultz argued in 1985 that dictators “will never be able entirely to block the tide of technological advance.” They would have to accept American technologies of openness or remain economically or socially backward. General Nakasone recognizes dictators’ fear that their “hold on power would be undermined by digital-age capabilities,” adding that the digitally enabled “Arab Spring in 2011 heightened these fears.”
The Trump administration’s National Cyber Strategy went so far as to say, “Americans sometimes took for granted that the supremacy of the United States in the cyber domain would remain unchallenged.” Neither General Nakasone nor the National Cyber Strategy make the connection that in breaking the status quo, adversaries are trying to break out of an intentionally set US trap—regime change not through the back door as much as the fiber-optic cable—built on an early hegemonic lead in technology (which fed an early dominance in US cyber espionage).
General Nakasone and others are on solid ground when highlighting the many activities the United States does not conduct, like “stealing intellectual property” for commercial profit or disrupting the Olympic opening ceremonies. There is no moral equivalent between the most aggressive US cyber operations like Stuxnet and shutting down civilian electrical power in wintertime Ukraine or hacking a French television station and trying to pin the blame on Islamic State terrorists. But it clouds any case that the United States is the victim here to include such valid complaints alongside actions the United States does engage in, like geopolitical espionage. The concern of course is a growing positive feedback loop, with each side pursuing a more aggressive posture to impose costs after each fresh new insult by others, a posture that tempts adversaries to respond with their own, even more aggressive posture.
Consequences of One-Sided Knowledge
The Rashomon effect goes beyond the unknowns of cyber operations, which are difficult to detect, track, and attribute to any particular person or government. Of the more than 2.6 million Americans holding at least a secret security clearance, probably only a few dozen are cleared to know the totality of US operations against a particular adversary and its own operations against the United States.
If you are not one of them (and if you have time to read this article, you are not), then you cannot know what punches the United States has thrown, which we have taken, and the causal relationship between the two. And those who are in high enough positions to have this knowledge are generally too busy and overloaded to think deeply about how others might be reacting.
Directors of the Federal Bureau of Investigation or Cybersecurity and Infrastructure Security Agency are not routinely informed about CIA covert actions nor of most military offensive cyber operations. Traditionally, offensive and covert cyberspace actions were only conducted after interagency coordination and presidential approval, but offensive operations can now be approved at the level of secretary of defense or even by the commander of USCYBERCOM.
If US leadership remains in the dark regarding the scope and extent of US cyberspace operations, imagine the rank-and-file intelligence analysts, writing assessments of adversary activities, surely ignorant of the full picture but potentially guided by the public-relations spin of their most-senior leaders.
Russia, China, Iran, and North Korea, which lack the capable cybersecurity companies and intelligence capabilities of the United States, almost certainly have a murkier understanding of cause and effect and likely suspect the United States of far more operations than it actually undertakes. The leadership of Russia and Iran, which heavily rely on proxies, likely have, at best, a hazy working knowledge of the details of cyberspace actions taken on their nations’ behalf.
Knowledge asymmetry upends the normal pattern of conflict or competition. During the Cold War, Soviet military maneuvers and capabilities were closely guarded secrets largely unknown in the West. But the transparency of democratic governments and a free press ensured that US and NATO operations were comparatively transparent and open. Even with wartime propaganda, the same information asymmetry regarding military operations was broadly true in the world wars.
By contrast, as General Alexander’s comments show, cyber attacks from US adversaries are shouted from the rooftops while the United States’ own remain classified. Asymmetric information and misdirection fosters a growing sense of US victimhood and a narrative that paints adversaries as intransigent or illogical.
When a leak about US capabilities and operations occurs, government personnel with clearances are forbidden to look at this part of the public record, meaning they may actually know less about US operations than their adversaries or the informed public.
Think-tank staff and academic researchers in the United States often shy away from such material (with exceptions like Ben Buchanan) so as not to hamper their chances of a future security clearance. Even as senior researchers, we were careful not to directly quote NSA’s classified assessment of Iran, but rather paraphrased a derivative article.
A student, working in the Department of Defense, was not so lucky, telling us that to get through the department’s pre-publication review, their thesis would skip US offensive operations and instead focus on defense.
Such examples highlight the distorting effects of censorship or overclassification: authors are incentivized to avoid what patrons want ignored and emphasize what patrons want highlighted or what already exists in the public domain. In paper after paper over the decades, new historical truths are cumulatively established in line with patrons’ preferences because they control the flow and release of information.
After a while even the most open-minded leaders can forget other truths and defer to the public narrative, overlooking or omitting how the United States has a long history of taking offensive action in cyberspace, which may prompt reciprocal actions from adversaries because those activities cannot be published.
Impact on Democracy
Secrecy is necessary, even in an open democracy, to allow militaries and intelligence services to conduct their critical missions. With this secrecy, though, comes the responsibility not to use classification for self-serving reasons.
Members of the public, academic researchers, cybersecurity practitioners, and even members of Congress (who are not on the relevant committees) might be manipulated through this process, deciding that America’s adversaries are uncompromising in the face of loudly proclaimed, but selectively chosen, US “restraint.” With a narrative of victimhood, America’s cyber spies and warriors surely deserve bigger budgets and fewer constraints.
Stabilizing cyber conflict requires a clear-eyed understanding of cause and effect, moves and countermoves, especially when implementing an aggressive new strategy based on adversaries’ perceived intransigence. The US transparency over Operation GLOWING SYMPHONY, the cyber campaign against the Islamic State, is an astounding case study in openness. But more should be done with respect to operations directed against state adversaries who can shoot back, like Iran.
Cause and effect can become nearly impossible to distinguish, leading to more extreme moves by all adversaries and escalating cyber conflict as each nation is increasingly certain it is the aggrieved party. This compounds the well-established phenomenon that countries in conflict tend to underestimate the aggression of their own actions and overestimate the aggression of their adversaries. One’s own moves seem just and proper reactions to the other’s lack of restraint.
Publicly chastising adversarial conduct and operations in cyberspace while simultaneously classifying one’s own is not tenable, leading to a biased view of cyber conflict that can be poisonous in a democracy.
Jason Healey is a senior research scholar at Columbia University’s School of International and Public Affairs, specializing in cyber conflict and risk.
Robert Jervis is the Adlai E. Stevenson Professor of International Politics at Columbia University, specializing in international politics in general and security policy, decision making, and theories of conflict and cooperation in particular.
The views expressed are those of the authors and do not reflect the official position of the United States Military Academy, Department of the Army, Department of Defense, or that of any organization with which the authors are affiliated, including Columbia University.
Image credit: C. Todd Lopez, DoD