Lorem, ipsum

Full Terms & Conditions of access and use can be found at https://www.tandfonline.com/action/journalInformation?journalCode=rwaq20

The Washington Quarterly

ISSN: 0163-660X (Print) 1530-9177 (Online) Journal homepage: https://www.tandfonline.com/loi/rwaq20

Is Cyber Strategy Possible?

Wyatt Hoffman

To cite this article: Wyatt Hoffman (2019) Is Cyber Strategy Possible?, The Washington Quarterly, 42:1, 131-152, DOI: 10.1080/0163660X.2019.1593665

To link to this article: https://doi.org/10.1080/0163660X.2019.1593665

Published online: 16 Apr 2019.

Submit your article to this journal

Article views: 123

View Crossmark data

Wyatt Hoffman

Is Cyber Strategy Possible?

The United States holds unmatched cyber power by most accounts. Experts frequently portray U.S. cyber operations as second-to-none in sophisti-

cation. 1 Yet, many sense that it struggles to reliably use these capabilities to

protect and advance its interests in cyberspace. Mounting frustration over the

apparent lack of an effective “cyber strategy” to prevent or defeat adversaries’

cyber aggression has motivated Congress to create a “Cyberspace Solarium Com-

mission” to develop a cohesive U.S. strategic approach to cyberspace. 2

The U.S. approach has steadily evolved since the first National Strategy to Secure Cyberspace in 2003, but pressure created an inflection point in 2018. The Depart- ment of Defense’s new Cyber Strategy and the Trump administration’s apparent relaxation of rules for offensive cyber operations reflect a shift toward a more asser-

tive posture. 3 Other countries appear to be contemplating or undergoing similar

shifts as they struggle to manage escalating cyber competition and confrontation.

This subject has not lacked scholarly attention. Professor John Arquilla of the

Naval Postgraduate School and RAND scholar David Ronfeldt declared two and a

half decades ago that “cyberwar is coming.” 4 Yet, an amassing body of literature has

produced little consensus on the core tenets of a strategic framework for the use of

cyber capabilities. As another prominent RAND scholar and professor, Martin

Libicki, notes, cyber has not had its “grand strategist”—and might never have

one. 5 Instead, competing voices offer conflicting accounts of the utility and

purpose of cyber capabilities and how to deal with cyber-related problems. Distil-

ling insights for policy from this discourse remains a challenge driven by more than

the perennial academic-practitioner divide. But an effort to do so has never been

timelier as the United States, the United Kingdom, Germany, and others heighten

Wyatt Hoffman is a Senior Research Analyst at the Cyber Policy Initiative at the Carnegie

Endowment for International Peace, and can be contacted by email at whoffman@ceip.org.

Copyright © 2019 The Elliott School of International Affairs

The Washington Quarterly • 42:1 pp. 131–152 https://doi.org/10.1080/0163660X.2019.1593665

THE WASHINGTON QUARTERLY ▪ SPRING 2019 131

This article has been republished with minor changes. These changes do not impact the aca-

demic content of the article.

investments in offensive cyber capabilities and adopt more assertive postures in

cyberspace. 6

This article explores the different approaches that scholars have taken to the

question of cyber strategy. It aims not to adjudicate among them but to understand

whether and how they fit together. As is the case with any policy issue, defining the

problem to be solved is fundamental in shaping

these approaches. One strand of the literature

frames cyber strategy around the question of

what cyber capabilities contribute to traditional

state pursuits—can cyber provide a unique sol-

ution to problems of coercion and conquest?

Within this branch, scholars arguing that

cyber offers states a “revolutionary” new tool

for coercion and conquest often struggle to

articulate precisely how this potential can be

realized by a distinct cyber strategy. As a result,

some scholars conclude that cyberspace is an

“evolutionary” addition to the tools available to states, and the dilemma facing strat-

egy is simply how to integrate cyber capabilities with other policy tools of statecraft

and warfighting—economic sanctions, conventional military force, etc.

Another branch of the literature, however, defines the problem for cyber strat-

egy around a fundamentally new, salient form of strategic competition—the ambig-

uous space between war and peace. Cyber capabilities are uniquely suitable for

exploiting this space to cause harm in ways that previously were not possible.

They enable adversaries to slowly accrue strategic gains through actions below

the threshold that might trigger a forceful response. And as other domains of

state activity become dependent upon digital capabilities and assets, events

within cyberspace are increasingly crucial to shaping political, economic, military,

and social outcomes outside of it. Here a distinct problem emerges for scholars—the

problem is defined as not just a new tool, or even a space or a new domain (i.e. sea,

air or space), but a new dimension of relations between war and peace, and thus it

seems greater than any strategy based on cyber (or otherwise) can seem to manage.

Is “cyber strategy” meant to solve the problem posed by a traditional adversary

or rogue actor? Or is it meant to solve the problem of cyber aggression (or cyber

insecurity)? The contrasting definition of the problem appears most vividly in

debates over “cyber deterrence,” where these strands of the literature intersect

and where different assumptions about the nature of the problem produce

starkly different conclusions. Deterring a “strategic” cyberattack by a specific

adversary proves an altogether different challenge than deterring cyber aggression.

Sorting through debates about cyber strategy requires untangling niche debates

over cyber weapons and dynamics of cyber conflict, and separating their strands

There is little con- sensus on the core tenets of a strategic framework for the use of cyber capabilities.

Wyatt Hoffman

132 THE WASHINGTON QUARTERLY ▪ SPRING 2019

from deeper disagreements over the nature of the domain itself and its implications

for states. This article cannot hope to cover every important angle, but traces the

broader trajectory of the debates that have shaped views of cyber strategy. 7 It

argues that real progress has been made in developing an understanding of how

to more effectively employ cyber capabilities to achieve specific strategic objec-

tives. But this progress has not readily translated into a clear strategy to manage

incessant cyber aggression. Navigating this expanding space of strategic compe-

tition poses an evolving challenge for statecraft that may ultimately exceed the

scope of any single comprehensive cyber strategy. Recognizing the proper place

—and limits—of strategy therefore may be necessary to reach a more effective

approach to cyberspace.

What Is Cyber Strategy?

The elasticity of the term “cyber” poses an immediate problem. A brief survey of

the literature yields discussions of everything from using cyber weapons to destroy

adversaries’ military assets to holding technology vendors accountable for product

security. Ambiguous terminology creates problems for distinguishing between

different conceptions of strategy, best illustrated through analogy to a more tangi-

ble domain—the sea. Like the maritime domain, the cyber domain is both a battle-

space and a domain of overlapping political, economic, and social activity. “Naval

strategy” distinguishes considerations of state military power and objectives from

“maritime security” strategy—a broader conception that encompasses the protec-

tion of state interests, including commercial activities and natural resources, from

all kinds of threats emanating from and through the domain—not just state adver-

saries but also piracy, criminal activity, and even arguably threats like pollution.

These are obviously related, but maritime security entails a wider set of objectives

pursued through naval capabilities as well as international norms and institutions,

economic statecraft, and law enforcement, among other approaches. 8

No analogous terms are readily available yet to denote different aspects of cyber.

For some, cyber strategy is about the tools—using offensive and defensive cyber

operations to achieve policy objectives. For others, it is about the domain—pro-

tecting economic prosperity, social stability, and national security from threats

in and through cyberspace. These are intertwined but distinct endeavors. Of

course, scholars in many cases explicitly refer to one or the other. But the distinc-

tion is often lost, creating a source of confusion in debates.

The elasticity of cyber yields diverging definitions of “cyber power.” Some

scholars focus on those aspects most like naval power. For instance, Professor

John Sheldon of the School of Advanced Air and Space Studies summarizes

the strategic purpose of cyber power as “the ability to manipulate the strategic

Is Cyber Strategy Possible?

THE WASHINGTON QUARTERLY ▪ SPRING 2019 133

environment through and from cyberspace in peace and war for the ends of policy

while simultaneously disrupting, denying, and otherwise interfering with the

ability of an adversary to do the same.” 9 Others, such as Harvard Professor

Joseph Nye, offer a more holistic account of

how power manifests within cyberspace to

shape broader social, political, and economic

outcomes outside of the domain. Nye dis-

tinguishes “intra cyberspace power” from

“extra cyberspace power” and further divides

these into “hard power” and “soft power”

forms via both physical and informational

instruments. 10

David Betz and Tim Stevens,

professors at King’s College London, similarly

distinguish “military cyber-power” from other forms, including even using cyber-

space to influence discourses to define “the ‘fields of possibility’ that constrain

and facilitate social action.” 11

For example, states, corporations, and extremist

groups alike (among others) use cyberspace as a medium to shape narratives and

worldviews toward legitimizing their actions.

No consensus has emerged on even the range of elements to consider, much less

how to quantify and compare cyber power. Some focus narrowly on “hard power”

capabilities to exploit computer systems for espionage and to deliver disruptive or

destructive malware payloads. Others emphasize factors such as national compa-

nies’ market share in key information and communications technologies (ICTs)

and latent technical capacities of civilian populations. 12

Resolving these differences is beyond the immediate objective here. But it is dif-

ficult to arrive at any common view of strategy when both the objectives of cyber

strategy and the means available to pursue them are contested. Different views of

the scope and purpose of cyber strategy have been a fundamental point of conten-

tion throughout this debate, confusing it in the process.

Revolution or Evolution?

At the broadest level, the debate over strategy hinges on the question of whether

cyberspace and cyberwarfare are “revolutionary.” Those who view cyberspace as

fundamentally changing the nature of strategic competition and warfare argue

that it demands new paradigms for strategy. Others view it as merely an extension

of existing forms of competition into a new technological medium characterized

more by continuity and evolution in state behavior.

The revolutionary side warned of readily-attainable cyber weapons that would

allow rogue nations or even individual hackers to cause massive destruction

The elasticity of the term “cyber” yields diverging definitions of “cyber power.”

Wyatt Hoffman

134 THE WASHINGTON QUARTERLY ▪ SPRING 2019

without fear of reprisal, due to the difficulties of attribution. 13

Early appraisals of

the potential for apocalyptic cyberattacks to cripple a nation or military sparked

a wave of response from skeptics arguing that fears of strategic cyberattacks were

overblown, that cyber weapons capable of any meaningful impact were actually

quite costly and difficult to acquire, and that the uncertainties involved made

cyber an unreliable instrument for states. 14

This evolution-revolution distinction glosses over much nuance. But it is useful

to keep in mind as it has framed debates of cyber strategy around the employment

of cyber capabilities or “strategic cyberattacks” for coercive diplomacy and conven-

tional warfare—to compel adversaries to change behavior and to deter hostile

actions. While some maintain that the unique utility of cyber to accomplish tra-

ditional state pursuits warrants a distinct conception of strategy, the struggle to

articulate one has led many to the opposite conclusion.

Coercive Diplomacy in Cyberspace Cyber capabilities appear to offer attractive tools for coercion for a variety of

reasons: An operation’s effects can be tailored to the demands of the situation,

including their scope, duration, and visibility (private messages or public

signals). They allow for the precise targeting of hostile regimes and their benefac-

tors rather than blunter tools that might impact populations. They can be used in

lieu of more costly options (to the coercer and the target) like military force or

economic sanctions. 15

Yet, numerous scholars examining the strategic use of cyber capabilities have

chipped away at expectations of their utility for coercive diplomacy. 16 The peren-

nial challenges of signaling messages to adversaries without fully understanding

their perceptions are compounded by the unique uncertainties and ambiguities

of cyber operations. A cyber operation intended as a signal may go entirely unno-

ticed by the target—or be misinterpreted as an attack. Even if the effects are under-

stood, the intent behind them (and whether they were intentional at all) could

remain unclear. As Columbia University Professor Robert Jervis notes, “it is

likely that the country that is the object of the attack would assume that any

effect was the intended one.” 17

For instance, in the midst of a crisis, a limited intrusion into sensitive military

systems (e.g. satellites) designed to send a signal of resolve could be misperceived

as a prelude to a preemptive strike. Under pressure, leaders may assume the worst-

case scenario. The problems with signaling are further exacerbated by the lack of

common understandings of what actions are escalatory in cyberspace. 18

Cyber

weapons are on a spectrum from nuisance-level to effects on the scale of WMDs

(for instance if an electric grid was damaged). However, there are no clear “fire-

breaks” analogous to the clear line between conventional warfare and nuclear

Is Cyber Strategy Possible?

THE WASHINGTON QUARTERLY ▪ SPRING 2019 135

use. Even within countries, there is likely no shared sense of what kind of cyber-

attack constitutes an escalated response in any given situation—much less a

broader understanding among adversaries.

Technical factors add to the challenge of

conveying credible threats of punishment via

cyber means. In most cases, it is extremely dif-

ficult to convincingly demonstrate a capability

to attack a particular system without simul-

taneously informing the target of how to

defend against it (by alerting them to an intru-

sion or vulnerability). Libicki suggests that

certain capabilities could be “brandished”—

for instance manipulating an adversary’s

system in a limited fashion to send a signal. 19

In a similar vein, Max Smeets and Herb Lin at Stanford University argue that

cyber capabilities can be selectively applied and reversed for compellence. 20

But

generally, the requirements for maintaining assurance in an offensive capability

and for communicating that capability effectively run counter to each other.

Moreover, even the most highly choreographed cyber operations face unavoidable

concerns over escalation, unintended consequences, and the proliferation of capa-

bilities to non-state actors (the Stuxnet cyberattack against Iran seems to have

already demonstrated the ability of victims to reverse-engineer cyber weapons). 21

Recognizing these challenges, some scholars have attempted to carve out a nar-

rower role for cyber capabilities in coercive diplomacy. Professors Brandon Valer-

iano and Benjamin Jensen of the Marine Corps University and Ryan Maness of the

Naval Postgraduate School describe three broad strategies for the use of cyber

capabilities in coercion: “cyber disruption” to harass and inflict limited costs to

influence decisions; “cyber espionage” to manipulate perceptions and generate bar-

gaining benefits in a coercive interaction; and (far rarer) “cyber degradation” to

inflict significant costs by causing severe disruption or destruction. However,

their analysis of the efficacy of these strategies suggests that, in any case, cyber

capabilities rarely produce strategic outcomes independent of other tools. 22

Cyber Warfare Many scholars skeptical of the purported strategic potential of cyber capabilities

instead argue that the primary role and purpose of cyber weapons will be to

enhance and augment the operational potential of conventional military force.

Professor Colin Gray, a well-known military strategist, argues that “cyber power

will prove most useful (or dangerous, as enemy cyber power) as an enabler of

joint military operations. Horror scenarios of stand-alone cyberattacks are not

There is likely no shared sense of what kind of cyber- attack constitutes an escalation.

Wyatt Hoffman

136 THE WASHINGTON QUARTERLY ▪ SPRING 2019

persuasive.” 23

Cyber capabilities contribute more modestly to exacerbating the

“friction” that is omnipresent in making and executing military strategy. Thus,

even acknowledging the unprecedented speed and pervasiveness of potential

cyberattacks, cyber defense “should be sufficiently effective.” 24

Libicki arrives at a similarly modest assessment of cyber weapons. Cyberattacks

“unexploited by kinetic operations are more like raids than wars.” 25

They cannot

conquer territory or overthrow a rival. Still, he argues, advanced militaries’ depen-

dence upon real-time information and networking capabilities makes cyber oper-

ations an essential component of modern warfare. Superior cyberwarfare

capabilities employed preemptively or early in conflict can potentially translate

into significant tactical advantages.

Realizing this potential contribution to warfighting requires overcoming a host

of issues with how to integrate cyber capabilities with conventional forces. Com-

munication barriers between cyber operators (often under tight classification rules)

and tactical commanders must be broken down. 26

Leadership may be tempted to

interfere at lower levels to micromanage capabilities, impeding their effective-

ness. 27

The potential for cyber operations to impact civilian infrastructure or

spread outside of the theater raises further concerns over escalation and legality

under the Law of Armed Conflict that must be assuaged. 28

Finally, the need for extensive intelligence, planning, and operational prep-

aration of the environment for cyberattacks to achieve significant, sustained

impacts presents a dilemma for integration at lower levels. As Lin argues, absent

extensive preparation, cyber operators are likely left with only blunt, indiscrimi-

nate attacks on adversary systems—options most likely to cause collateral

damage or have wider consequences that call for higher-level assessment and

approval. 29

Moreover, the difficulty of battle damage assessment undermines the

assurance in the success of a cyberattack needed for commanders in the field to

exploit the opportunities it creates. Thus, scholars converge on the need to inte-

grate cyber operations into extensive campaign plan-

ning to maximize their effectiveness. 30

Again, scholars chiseled down to a far narrower

vision of cyber capabilities’ contribution. Erica Bor-

ghard and Shawn Lonergan, professors at the U.S.

Military Academy at West Point, thus identify strat-

egies of attrition (eroding adversaries’ capabilities to

wage war), denial (increasing costs to an adversary

to make a military objective prohibitively costly),

and decapitation (cutting of adversaries’ communi-

cations and command and control) as suitable for

the unique capacities of cyberwarfare. 31

The capacity

of cyberattacks to generate fear or inflict pain upon adversaries’ leadership and/or

Cyber weapons may target the adversary’s capacity to wage war more than its resolve to do so.

Is Cyber Strategy Possible?

THE WASHINGTON QUARTERLY ▪ SPRING 2019 137

populations falls short of the threshold needed to be decisive in other strategies. In

other words, cyber weapons may contribute more toward warfighting strategies

that target the adversary’s capacity to wage war rather than its resolve to do so.

Bringing Cyber Back Down to Earth? This speaks to a common theme running through the debate over cyber operations

in both coercion and warfighting: When described in the abstract, the features and

advantages of cyber weapons seem to add up to something revolutionary—cheap,

deniable, scalable, instantaneous, and highly tailored. But as the realistic require-

ments and constraints of coercive or warfighting strategies are imposed, it becomes

increasingly difficult to see how cyber weapons can meet them all while retaining

their revolutionary potency. Cyberattacks on critical infrastructure can inflict

severe punishment, but the need for secrecy undermines their coercive value. Tai-

lored, reversible effects solve the problem of signaling for compellence, but will

rarely cause enough punishment to change behavior (by themselves). Moreover,

in any scenario where the stakes are high enough to contemplate strategic cyber-

attacks, will there be enough confidence to peg one’s strategy on their success

when a simple patch to a system may completely mitigate a meticulously

planned operation? As eminent strategist Sir Lawrence Freedman observes, the

uncertainties involved “make cyberweapons an uncertain foundation for

aggression.” 32

None of this is to discount the importance of cyber as an instrument of strategy.

Indeed, it has become a necessary component of warfighting—yet is insufficient by

itself. There is an emerging consensus that cyber tools are best used in combination

with other instruments. While they may not be superior to other tools, they give

leaders strategic flexibility by creating options that would otherwise be unavail-

able. 33

Recognition of their limits helps situate cyber tools more effectively in

coercive and warfighting strategies. But the more skeptical accounts seem to

diminish the question of cyber strategy to a series of logistical and practical

hurdles to be overcome in integrating cyber with other tools of coercion and

warfighting.

Between Cyberwar and Peace

This more modest picture of cyber capabilities that emerges here does not explain

why states are clearly struggling to navigate cyber competition and confrontation.

A distinct strand of scholarship offers an alternative account of why cyberspace has

become so self-evidently important to states. These scholars generally share the

view of skeptics that the prospects of strategic cyberattacks or cyberwar are over-

stated. However, they assert that the focus on whether cyber tools are strategically

Wyatt Hoffman

138 THE WASHINGTON QUARTERLY ▪ SPRING 2019

decisive distracts from the more important implications that cyberspace has in

shaping existing and new forms of strategic competition—in particular the trend

toward conflict in the “gray zone” between war and peace.

Professor Lucas Kello at the University of Oxford argues that “the capacity of

cyber arsenals to augment military force is not their main significance … the

new weapons expand the available methods of harm that do not fit established

conceptions of war but may be no less harmful to national security.” 34

Betz and

Stevens similarly describe a state of constant “cyber-skirmish” with “few or no

single engagements of strategic consequence, however weighty in aggregate the

stakes may be.” 35 Incessant cyber aggression including espionage, economic disrup-

tion, intellectual property theft, misinformation and other politically-motivated

cyberattacks can, over time, add up to strategic impacts worse than a single devas-

tating cyberattack.

Recent scholarship has shifted the goalposts of the evolution-revolution debate.

While states have clearly taken to cyberspace to wage aggression, scholars differ on

the relative importance of gray zone competition and the degree to which cyber is

a symptom or cause. Two of the more skeptical scholars, Erik Gartzke at the Uni-

versity of California, San Diego, and Jon Lindsay at the University of Toronto

describe cyber as just one of a number of tools uniquely suitable to “low-intensity

conflict behavior” because of their ability to leverage deception. 36

Kello, by con-

trast, suggests that cyberspace plays a direct role in fueling the expansion of this

space of “unpeace”—“mid-spectrum rivalry lying below the physically destructive

threshold of interstate violence, but whose harmful effects far surpass the tolerable

level of peacetime competition and possibly, even, of war.” 37

While the initial “revolutionary” appraisals fixated on the threat of a “cyber

Pearl Harbor”—a sudden, dramatic escalation in the level of destruction—the

potential for “death by a thousand cuts” encapsulates the principal concern of

this wave of scholarship focused on cyber aggression in the gray zone. 38

Mass-

scale theft of intellectual property from private companies erodes a nation’s eco-

nomic vitality. Cyber intrusions into the defense supply chain allow adversaries

to jeopardize critical military advantages by stealing sensitive design schematics,

implanting malicious code into military systems, or even sabotaging production

processes. Sustained disinformation campaigns undermine social cohesion and

paralyze political processes. Discrete cyber operations rarely have serious conse-

quences but over time, sustained cyber aggression can accumulate to dramatic stra-

tegic impacts. 39

Cyber operations allow adversaries to accomplish large-scale harm incremen-

tally without crossing a threshold of aggression that would likely trigger an escala-

tory response. Adversaries have every reason to refrain from launching destructive

cyberattacks that would risk a military confrontation if they can achieve their

objectives through lower-risk, opportunistic cyber campaigns. Michael

Is Cyber Strategy Possible?

THE WASHINGTON QUARTERLY ▪ SPRING 2019 139

Fischerkeller at the Institute for Defense Analysis and Richard Harknett at the

University of Cincinnati argue that these incentives explain the “de facto

ceiling” keeping cyber aggression below the level equivalent to an armed attack

—yet within this boundary the scope, scale, and intensity continue to increase. 40

Whether or not this ceiling can hold indefinitely remains to be seen. But the

concern they underscore is precisely that even without escalating, sustained

efforts to degrade the sources of national power vulnerable to cyber interference

could accumulate to a broader shift in the balance of power.

These scholars emphasize the importance of cyber competition as a function of

the growing dependence on information flows and digital assets of all other areas of

state power and competition—economic prosperity, military might, strategic com-

munication, intelligence, and so on. Events within cyberspace increasingly shape

the fortunes of states outside of it. As Harknett and Emily Goldman, Director of

the Cyber Command and National Security Agency Combined Action Group,

assert, cyber power “should be understood as an end in and of itself.” 41

Some take this conclusion even further to suggest that the struggle for control

over cyberspace itself is becoming the dominant form of strategic competition in

the Information Age. Professor Chris Demchak of the U.S. Naval War College

thus describes “a new form of system-vs-system ‘cybered conflict’” in which like-

minded democratic states must counter the efforts of authoritarian states—in par-

ticular China—not just to use cyberspace to advance their interests but to shape

the domain itself down to its underlying technological substrate. 42

This includes

efforts to dominate global markets in key

areas like telecommunications to promote

Chinese technical standards and information

controls. Robert Bebber, an officer in the

U.S. Navy, ascribes similar weight to emerging

“geo-informational competition” among major

powers. 43

He argues that information should

be viewed as a “strategic resource” (like oil)

that states will compete over and attempt to

harness for military, economic, and other

advantages. This creates new imperatives for

strategy to cultivate and harness informational

advantages while denying those to adversaries. For instance, this elevates the need

to counter adversaries’ efforts to siphon intellectual property from corporations via

domestic regulations that require corporations to reveal their source code.

This framing in terms of a fundamental shift in state competition entails not just

a different strategy for using cyber tools, but broadening the aperture through

which cyber strategy is viewed. Strategists should not solely be concerned with

adversaries’ capabilities to target networks and data, but tectonic shifts in

In the Information Age, is the struggle for control over cyberspace the dominant strategic competition?

Wyatt Hoffman

140 THE WASHINGTON QUARTERLY ▪ SPRING 2019

cyberspace itself—trends in the control of internet infrastructure, leverage in inter-

national ICT markets, global flows of data and technology, and advantages in deci-

sive innovations like artificial intelligence and quantum computing, among

others. The value of cyber capabilities lies in their ability to secure crucial,

long-term advantages in these areas more so than their fleeting contribution to

military operations or coercive diplomacy.

Searching for Cyber Deterrence

Regardless where one falls on the question of the broader stakes, dealing with the

growing space of constant, low-level cyber aggression targeting public and private

sectors alike has clearly become a central challenge for many states. Desperate for

solutions, academics and politicians alike have converged on the search for deter-

rence in cyberspace. 44 Here, distinct strands in the literature intersect. The debate

itself has been fraught with confusion. Some focus narrowly on “cyber-on-cyber”

deterrence, while others view it in a cross-domain context—whether an “all

tools” approach to deterring cyberattacks or the use of offensive cyber operations

to deter other kinds of harm.

The point of departure for scholars begins with the underlying conditions that

necessitate deterrence. While many take for granted the offense-dominant nature

of cyberspace, some have argued that the ease of offense has been overstated.

Simply penetrating a network can be a relatively easy task for hackers. Orchestrat-

ing a cyberattack with real strategic consequence like Stuxnet, however, can be

extremely resource-intensive and require unique intelligence and reconnaissance,

as well as specific programming expertise. 45 As requirements for an offensive attack

increase—scope and duration of effects, undetectability, etc.—the complexity of

the attack increases and the capabilities to conduct it rapidly exceed those avail-

able to the vast majority of malicious actors. 46 Gartzke and Lindsay thus argue that

“offense dominance may exist only for nuisance attacks that are rarely strategically

significant, such as piracy, espionage, and ‘hacktivist’ protest, even as the Internet

is defense dominant for more harmful or complicated forms of attack.” 47

Scholars focused on the novelty of strategic competition within cyberspace

identify deeper sources of cyber insecurity. States’ interests are increasingly teth-

ered to digital assets that are readily exposed to disruption via capabilities

within reach of a vast range of actors. The fact that cyberspace is by and large pri-

vately built, owned, and operated creates what Kello describes as a condition of

“defense fragmentation”—the protection of national interests is not entirely in

the hands of states as they depend to some extent upon private companies’ own

security, even in the case of critical national infrastructure. 48

The “terrain” itself

constantly changes, shifting the barriers and opportunities for both offense and

Is Cyber Strategy Possible?

THE WASHINGTON QUARTERLY ▪ SPRING 2019 141

defense. Harknett and Goldman suggest, therefore, that the best description for

the cyber domain is “offense-persistent” rather than offense-dominant: In this

interconnected space, probing defenses and searching for weaknesses are low

cost and low risk efforts, and thus are virtually constant even though they do

not always accomplish their objectives—defense is “resilient and salient, but

under constant stress.” 49 The degree to which the relative advantages of attacking

rather than defending networks at a technical level translate into advantages for

offense over defense at the strategic level remains an open question. In either

case, the problem of cyber defense does not

appear likely to get easier.

Whether for preventing strategic cyberat-

tacks or low-level cyber aggression, the

straightforward application of deterrence as a

framework quickly runs into problems. 50

The

challenge of timely attribution of cyberattacks

and dilemmas of a public response serve to

embolden malicious actors by diminishing to

some extent the prospects of retaliatory punish-

ment. States increasingly exploit this plausible deniability by using proxies. The

vast range of strategic actors—many of whom are not themselves susceptible to

retaliation via cyber means to the same extent—complicates any cohesive

approach to shaping adversaries’ behavior. These and other difficulties prompt

calls to abandon deterrence frameworks altogether. 51

Thinking Outside the Cold War Nuclear Box Those who seek to salvage the framework have approached it from different angles

focused on either the means or objectives of deterrence. Nye argues that the key

problem with the deterrence framework is scholars’ fixation on the traditional

approaches of deterrence by denial and punishment (and Cold War analogies).

He advocates an approach that includes normative taboos and deterrence by

entanglement—leveraging the interdependencies of cyberspace to convey to

adversaries that the blowback and other costs of their attack would exceed the

benefits. 52

Coming from the other direction, some suggest that denial and punishment

have been too quickly jettisoned, and that the key issue is setting the right

threshold for deterrence. For instance, Uri Tor, researcher at the Interdisciplinary

Center Herzliya, suggests that a fixation in the United States on “absolute deter-

rence”—inherited from the Cold War experience with nuclear deterrence—

creates a false expectation that it can or should be oriented toward preventing

all malicious activity. But deterrence need not prevent all attacks, Tor argues, if

The straightfor- ward application of deterrence as a framework quickly runs into problems.

Wyatt Hoffman

142 THE WASHINGTON QUARTERLY ▪ SPRING 2019

it can motivate adversaries to restrict the scope and scale of their aggression.

Drawing from the Israeli experience dealing with the fusion of adversaries’ conven-

tional military capabilities and terrorist threats, he describes an approach to

“cumulative deterrence” that combines communication of threats and the actual

use of force to moderate and bound aggression over time rather than attempt to

prevent it entirely. 53

Applied to cyberspace, this entails an iterative process of

learning, communicating red lines, and “recharging” deterrence by carrying out

punishment in various forms (through a combination of cyber and non-cyber

means). As virtually everyone now acknowledges, no strategy could realistically

deter all malicious activity in cyberspace. But unlike nuclear deterrence, cyber

deterrence doesn’t automatically fail if an attack is launched. An iterative

approach could be undertaken to communicate through both signals and retalia-

tory action those activities considered unacceptable, such as adversaries’ intrusions

into critical infrastructure.

The Defense Science Board’s (DSB) 2017 report by the Task Force on Cyber

Deterrence expresses a similar logic. The report argues that retaliatory capabili-

ties are necessary because a failure to respond to attacks “carries near-certainty

of suffering otherwise deterrable attacks in the future.” 54

It asserts that deter-

rence can be made manageable by breaking down the problem space—prioritiz-

ing key systems that must be resilient (e.g., the U.S. nuclear deterrent) and

tailoring capacities to deny benefits and impose costs across the range of

threat actors.

Kello combines the emphasis on collective responses to aggression and the focus

on identifying actionable thresholds for deterrence. 55

Rather than focusing on

defining red lines for individual acts or attacks, he argues that the threshold com-

municated to adversaries should focus on the cumulative impacts of hostile behav-

ior, whether resulting from a single large-scale cyberattack or the accretion of

effects over time. For instance, allied states aiming

to deter Russian political interference via cyber

means (hacking, disinformation, vandalism etc.)

should consider the point at which malicious actions

dispersed among them and drawn out over time

amount to a cumulative impact significant enough

to justify a collective response. Kello’s strategy of

“punctuated deterrence” would not be triggered by

any single attack but would retain retaliatory capabili-

ties for a collective response among allies whenever

the threshold of cumulative effects is crossed.

Competing assumptions about both the nature of

the challenge and purpose of strategy collide to produce starkly different assess-

ments of the viability of deterring cyber harm. Constant, low-level cyber

Realigning deterrence toward an objective more realistic than stopping all attacks is promising.

Is Cyber Strategy Possible?

THE WASHINGTON QUARTERLY ▪ SPRING 2019 143

aggression convinces some observers that deterrence has failed. 56

Others see the

same activity as evidence that deterrence has successfully constrained cyber

conflict. 57

Cyber deterrence in the narrowest sense certainly seems possible—i.e. a specific

adversary in a crisis or conflict can be deterred from launching a “strategic” cyberat-

tack. Cyber aggression (including harassment, vandalism, theft, etc.) more broadly

presents a trickier problem. Applying a deterrence framework to a wide range of

unwantedadversarybehaviorforcesonetomovebeyondthegoal of“absolutepreven-

tion.” But then, debates intensify over what behaviors realistically can and should be

deterred in this gray space. Stretching deterrence to manage the full scope of cyber

harm has clearly proven difficult and may even be counterproductive; as Professor

Dorothy Denning of the Naval Postgraduate School observes, “cyber deterrence”

may be misleading in the same way that a notion of “sea deterrence” would only dis-

tract from the task of dealing with specific threats in the maritime domain. 58 Never-

theless, harnessing a wider range of mechanisms to shape behavior and realigning

deterrence toward a more realistic objective (preventing the kinds of cumulative stra-

tegic consequences of real concern) are both promising approaches.

From Deterrence to Persistence Some remain committed to the project of cyber deterrence. But as focus has shifted

toward the cumulative impacts of low-intensity cyber aggression, more proactive

approaches to counter malicious activity have gained a foothold. Fischerkeller and

Harknett thus advance an alternative framework for a strategy of “cyber persistence.” 59

Within cyberspace, adversaries are in constant contact in an incessant struggle for stra-

tegic advantage. Exercising restraint in the hopes of avoiding cyber conflict will only

“accumulate a strategic deficit in cyberspace” as de facto norms of behavior are charac-

terized by constant efforts to exploit the domain for strategic gain. Instead, they argue,

the United States should embrace the inevitability of engagement in a strategy of “per-

sistent operational contact” that includes automated measures to counter intrusions

and disrupt adversaries, over time translating into strategic advantage. Scott Jasper

of the Naval Postgraduate School makes a comparable argument for employing

“active cyber defense” measures at the tactical level to deny benefits and impose

costs to attackers, framed in the broader context of a deterrence strategy. 60

The logic of persistent engagement has recently taken hold in U.S. strategic

thinking. In 2018, it surfaced in official documents. Cyber Command’s recently-

released Command Vision asserts that “adversaries operate continuously below the threshold of armed conflict to weaken our institutions and gain strategic

advantages.” Thus, the Command pledges to “sustain strategic advantage by

increasing resiliency, defending forward, and continuously engaging our adver-

saries.” 61 This was formalized in the Department of Defense’s 2018 Cyber Strategy,

Wyatt Hoffman

144 THE WASHINGTON QUARTERLY ▪ SPRING 2019

which aims to “defend forward to disrupt or halt malicious cyber activity at its

source.” 62

This evolution in U.S. strategy toward a more forward-leaning defensive

posture set off a debate over its potential risks, including fueling a cycle of escala-

tion in cyberspace. 63

The debate itself reflects a broader shift away from focusing

on isolated cyber engagements and toward attention to the long-term trends in

successive interactions between adversaries in cyberspace. Fischerkeller and Har-

knett convey this idea clearly, arguing that individual engagements and decisions

of how to respond to aggression over time shape the areas of “agreed competition”

among states in cyberspace. 64 Tor’s iterative approach to deterrence similarly aims

to shape the broader trend in the scope and scale of aggression rather than the pro-

spects of any single attack. As the DSB Task Force report asserts, undue restraint in

responding to malicious cyber activity encourages escalation by reinforcing percep-

tions of low risks and high rewards. But how the escalatory risks of restraint weigh

against the escalatory risks of various potential responses remains an open ques-

tion. At any rate, the shift in thinking helps distinguish and link together the

different ways of thinking about cyber strategy. States are competing in specific

forms and areas—cyberespionage, military cyber capabilities, political interfer-

ence, etc.—but simultaneously struggle to shape the trajectory of cyber compe-

tition itself through these interactions.

Is Cyber Strategy Different?

Assessing the progress made to date in these debates is a challenge. No one or two

contributions has captured the full considerations of cyber strategy. The literature

has advanced well beyond the initial evolution-revolution debate, branching off in

productive directions—more numerous than can be adequately covered here—

exploring the dynamics of cyber conflict, dimensions of cyber power, and the beha-

viors of state and non-state actors, among others. 65

The debate is also growing

more complicated as the intersection of cyber operations and misinformation cam-

paigns comes to the fore. Fundamental disagreements over the overarching impor-

tance of cyberspace remain, but the insights from this debate reveal important

challenges for cyber strategy and point to a way forward.

Unclear terminology remains a sticking point. Scholars are building a more

thorough account of the characteristics of cyber operations and how they can con-

tribute to strategic objectives. But a more robust understanding of how to situate

cyber capabilities in coercive and warfighting strategies has not produced a com-

prehensive cyber strategy for the same reason that a robust account of naval

weapons and warfare does not immediately translate into a comprehensive mari-

time security strategy.

Is Cyber Strategy Possible?

THE WASHINGTON QUARTERLY ▪ SPRING 2019 145

The more thorough account of cyber conflict that has emerged does help clarify

the relationship between specific strategies employing cyber capabilities and a

broader strategy for cyber security. For example, an approach to proactively

shaping the areas of agreed competition in cyberspace determines, in part, individ-

ual choices when and how to employ both offensive and defensive capabilities. 66

The aggressive use of offensive cyber weapons has inevitable ramifications for how

others will use them. Likewise, an effort to shape the “terrain” of cyberspace itself

can determine future prospects for offense and defensive strategies. Thus, some

argue that cyber strategy should focus not just on defense and deterrence but influ-

encing behavioral and technological trends to “make cyberspace defensible.” 67

With the distinction between different conceptions of strategy in mind, the

apparent gaps between competing proposals can often be bridged. For instance,

Kello and Tor on the one hand, and Fischerkeller and Harknett on the other,

all start from similar views of the challenge of constant low-level aggression, yet

come to different conclusions about the prospects for deterrence. Fischerkeller

and Harknett focus on the broader cyber security challenge and see deterrence col-

lapsing under its weight. Kello and Tor seek to relocate the proper strategic role for

deterrence by identifying realistic thresholds; Kello has different answers for

dealing with the broader problem of defense fragmentation, including exploring

how to “improve civilian strategic depth” through better private sector defenses. 68

These approaches are oriented toward different aspects of the problem and may be

complementary (as Fischerkeller and Harknett themselves suggest). 69

The academic debate reveals potential pitfalls relevant to the practical chal-

lenges of formulating strategy. Most important is the risk of a mismatch between

means and objectives—fixating narrowly on offensive and defensive cyber oper-

ations, but trying to solve broader problems of

cyber security. For instance, undertaking to

counter every cyber threat to the private

sector would be akin to a strategy for maritime

security that seeks to defend every commercial

vessel without distinguishing the values of their

cargo or setting any constraints on where they

sail. Preventing harm from cyberspace is as

much a matter of mitigating exposure in the

first place as it is improving defense and deter-

rence. Thus, like a strategy for maritime secur-

ity, strategy for cyber security engages a wider

set of considerations than offensive and defensive operations. Crucial consider-

ations include how to shape international norms, secure technological advantages,

and divide responsibilities for cybersecurity among governments and the private

sector. 70

The academic debate reveals potential pitfalls relevant to formulating strategy practically.

Wyatt Hoffman

146 THE WASHINGTON QUARTERLY ▪ SPRING 2019

These insights underscore important questions that remain for the task of for-

mulating a comprehensive cyber strategy. The Pentagon’s “defend forward” rep-

resents a partial conclusion that these tools are not best-left sitting on the shelf. It is arguably a step in the right direction in terms of getting more value out of

U.S. cyber capabilities; however, it does not answer the question of what

broader outcomes the United States should pursue and how others might

respond. 71 Does it need a more holistic strategy to secure informational advantages

and deny those to adversaries? How will broader trends in behavior and technol-

ogy, such as the emergence of artificial intelligence or potential “balkanization” of

the internet, affect its cyber security? 72

Finally, it is worth reflecting on Lawrence Freedman’s argument for recognizing

the limits of strategy. 73 Is it realistic and prudent to seek a comprehensive strategy

for cyberspace? In a constantly evolving domain, having a clearly defined end-state

and strategy to achieve it may be less feasible than arriving at a general sense of the

characteristics of a stable environment in which U.S. interests can be protected.

This could be something akin to the constellation of norms and mechanisms

that emerged to order the maritime domain, creating spaces for safe passage for

commerce and civilian activity while confining state competition and confronta-

tion to circumscribed areas.

There may not be a single strategy for arriving at such an environment, but this

vision would orient actors and help guide their responses to changing circum-

stances in ways that advance the vision. In the absence of a clear sense of the

broader trajectory of the domain, a more aggressive posture by states could end

up shaping spaces of agreed competition in ways that are destabilizing in the

long run. Particularly as the United States and numerous other countries shift

toward a more forward-leaning defensive posture, it will be important to have a

sense of how to manage these activities in a way that steers the domain overall

in a positive direction.

Notes

1. See, for example, “Cataloging the World’s Cyberforces,” Wall Street Journal, December 28, 2015, http://graphics.wsj.com/world-catalogue-cyberwar-tools/.

2. Robert Chesney, “The Cyberspace Solarium Commission: A Timely Proposal,” Lawfare, June 20, 2018, https://www.lawfareblog.com/cyberspace-solarium-commission-timely-

proposal.

3. Dustin Volz, “White House Confirms It Has Relaxed Rules on U.S. Use of Cyberwea-

pons,” Wall Street Journal, Sept. 20, 2018, https://www.wsj.com/articles/white-house- confirms-it-has-relaxed-rules-on-u-s-use-of-cyber-weapons-1537476729; Kate Charlet,

“How the U.S. Approach to Cyber Conflict Evolved in 2018—And What Could Come

Next,” World Politics Review, December 26, 2018, https://www.worldpoliticsreview.com/

Is Cyber Strategy Possible?

THE WASHINGTON QUARTERLY ▪ SPRING 2019 147

articles/27071/how-the-u-s-approach-to-cyber-conflict-evolved-in-2018-and-what-could-

come-next.

4. John Arquilla and David Ronfeldt, “Cyberwar is Coming!” Comparative Strategy 12, no. 2 (1993).

5. Martin Libicki, “Why Cyber War Will Not and Should Not Have Its Grand Strategist,”

Strategic Studies Quarterly (Spring 2014). 6. See Sven Herpig, “As Germany Moves Toward a More Offensive Posture in Cyberspace, It

Will Need a Vulnerability Equities Process,” NetPolitics, Sept. 4, 2018, https://www.cfr.org/ blog/germany-moves-toward-more-offensive-posture-cyberspace-it-will-need-

vulnerability-equities; “Britain Steps up Cyber Offensive with New £250m Unit to Take

on Russia and Terrorists,” The Telegraph, Sept. 21, 2018, https://www.telegraph.co.uk/ news/2018/09/21/britain-steps-cyber-offensive-new-250m-unit-take-russia-terrorists/.

7. The focus of this article is limited to debates within primarily Western policy and academic

circles. Fundamental differences exist between these views and those of Russian, Chinese,

and other scholars and strategists, but exploring these is beyond the present scope.

8. Christian Bueger, “What Is Maritime Security?” Marine Policy 53 (2015). 9. John B. Sheldon, “Toward a Theory of Cyber Power,” in Cyberspace and National Security:

Threats, Opportunities, and Power in a Virtual World, ed. Derek Reveron (Washington, DC: Georgetown University Press, 2012), 207.

10. Joseph Nye, “Cyber Power,” Essay from the Belfer Center for Science and International

Affairs, Harvard Kennedy School (2010), http://belfercenter.ksg.harvard.edu/

publication/20162/cyber_power.html.

11. David Betz and Tim Stevens, Cyberspace and the State: Toward a Strategy for Cyber-Power (New York, NY: Routledge, 2011), 50.

12. A few notable examples of diverging definitions or measurements of cyber power include

Alexander Klimburg, “Mobilising Cyber Power,” Survival 53, no. 1 (2011); Aaron Brantly, The Decision to Attack: Military and Intelligence Cyber Decision-Making (Athens, GA: Uni- versity of Georgia Press, 2016); Nigel Inkster, “Measuring Military Cyber Power,” Survival 59, no. 4 (2017); Robert Bebber, “Cyber Power and Cyber Effectiveness: An Analytic Fra-

mework,” Comparative Strategy 36, no. 5 (2017). 13. See, for instance, Richard A. Clarke and Robert Knake, Cyber War: The Next Threat to

National Security and What to Do about It (New York: HarperCollins, 2010). 14. Thomas Rid, “Cyber War Will Not Take Place,” Journal of Strategic Studies 35, no. 1

(2011); Erik Gartzke, “The Myth of Cyberwar: Bringing War in Cyberspace Back Down

to Earth,” International Security 38, no. 2 (2013); Jon Lindsay, “Stuxnet and the Limits of Cyber Warfare,” Security Studies 22, no. 3 (2013).

15. David Gompert and Martin Libicki, “Waging Cyber War the American Way,” Survival 57, no. 4 (2015); Max Smeets and Herbert S. Lin, “Offensive Cyber Capabilities: To What

Ends?” in 2018 10th International Conference on Cyber Conflict ed. Tomáš Minárik, Raik Jakschis, and Lauri Lindstrom (Tallinn: NATO CCD COE Publications, 2018), https://

ccdcoe.org/sites/default/files/multimedia/pdf/Art%2003%20Offensive%20Cyber%

20Capabilities.%20To%20What%20Ends.pdf.

16. See David Gompert and Martin Libicki, “Waging Cyber War the American Way”; Erica

Borghard and Shawn Lonergan, “The Logic of Coercion in Cyberspace,” Security Studies 26, no. 3 (2017); Robert Jervis, “Some Thoughts on Deterrence in the Cyber Era,”

Journal of Information Warfare 15, no. 2 (2016). 17. Jervis, “Some Thoughts on Deterrence in the Cyber Era.”

Wyatt Hoffman

148 THE WASHINGTON QUARTERLY ▪ SPRING 2019

18. Here it is worth noting that China, Russia, and other states far more concerned with con-

trolling the content of information flows may have starkly different perceptions than Western states of how escalatory certain actions might be (for instance, cyber operations

undermining a country’s censorship apparatus). See Tim Maurer, Cyber Mercenaries: The State, Hackers, and Power (New York, NY: Cambridge University Press, 2017), 53–54.

19. Martin Libicki, Brandishing Cyberattack Capabilities (Santa Monica, CA: RAND Corpor- ation, 2013).

20. Max Smeets and Herbert S. Lin, “Offensive Cyber Capabilities: To What Ends?”

21. Kim Zetter, “The NSA Acknowledges What We All Feared: Iran Learns From US Cyber-

attacks,” Wired, February 10, 2015, https://www.wired.com/2015/02/nsa-acknowledges- feared-iran-learns-us-cyberattacks/.

22. Brandon Valeriano, Benjamin Jensen, and Ryan C. Maness, Cyber Strategy: The Evolving Character of Power and Coercion (New York, NY: Oxford University Press, 2018).

23. Colin S. Gray, Making Strategic Sense of Cyber Power: Why the Sky Is Not Falling (Carlisle, PA: U.S. Army War College Press, 2013).

24. Ibid, 45.

25. Martin Libicki, Cyberspace in Peace and War (Annapolis, MD: Naval Institute Press, 2016), 265.

26. Andrew Metcalf and Christopher Barber, “Tactical Cyber: How to Move Forward,” Small Wars Journal (2014), http://smallwarsjournal.com/jrnl/art/tactical-cyber-how-to-move- forward#_edn7.

27. John B. Sheldon, “Toward a Theory of Cyber Power,” in Cyberspace and National Security: Threats, Opportunities, and Power in a Virtual World, ed. Derek Reveron (Washington, DC: Georgetown University Press, 2012).

28. Gompert and Libicki, “Waging Cyber War the American Way.”

29. Herbert Lin, “Operational Considerations in Cyber Attack and Cyber Exploitation,” in

Cyberspace and National Security: Threats, Opportunities, and Power in a Virtual World ed. Derek Reveron (Washington, DC: Georgetown University Press, 2012).

30. Lin, “Operational Considerations in Cyber Attack and Cyber Exploitation”; Michael

Sulmeyer, “Campaign Planning with Cyber Operations,” Georgetown Journal of Inter- national Affairs 18, no. 3 (2017); Austin Long, “A Cyber SIOP? Operational Consider- ations for Strategic Offensive Cyber Planning,” Journal of Cybersecurity 3, no. 1 (2017).

31. Borghard and Lonergan, “The Logic of Coercion in Cyberspace.”

32. Lawrence Freedman, The Future of War: A History (New York, NY: Public Affairs, 2017), 238.

33. Max Smeets, “The Strategic Promise of Offensive Cyber Operations,” Strategic Studies Quarterly 12, no. 2 (2018).

34. Lucas Kello, The Virtual Weapon and International Order (New Haven, CT: Yale University Press, 2017), 67.

35. David Betz and Tim Stevens, Cyberspace and the State: Toward a Strategy for Cyber-Power (New York, NY: Routledge, 2011), 97.

36. Erik Gartzke and Jon R. Lindsay, “Weaving Tangled Webs: Offense, Defense, and Decep-

tion in Cyberspace,” Security Studies 24, no. 2 (2015). 37. Kello, The Virtual Weapon and International Order, 78. 38. Ibid, 206.

39. An oft-cited case of the cumulative detrimental impacts of cyber aggression is the eco-

nomic cost of Chinese cyberespionage targeting the United States. While assessments of

Is Cyber Strategy Possible?

THE WASHINGTON QUARTERLY ▪ SPRING 2019 149

the total damage vary widely, one recent study estimated as much as $600 billion in cumu-

lative costs to the U.S. economy. See James Lewis, “How Much Have the Chinese Actu-

ally Taken?” Center for Strategic and International Studies, March 22, 2018. https://www.

csis.org/analysis/how-much-have-chinese-actually-taken.

40. Michael P. Fischerkeller and Richard J. Harknett, “Persistent Engagement, Agreed Com-

petition, Cyberspace Interaction Dynamics and Escalation,” Institute for Defense Analysis

(2018), https://www.ida.org/idamedia/Corporate/Files/Publications/IDA_Documents/

ITSD/2018/D-9076.pdf.

41. Richard Harknett and Emily Goldman, “The Search for Cyber Fundamentals,” Journal of Information Warfare 15, no. 2 (2016): 81–88.

42. Chris C. Demchak, “Key Trends across a Maturing Cyberspace Affecting U.S. and China

Future Influences in a Rising Deeply Cybered, Conflictual, and Post-Western World,”

U.S.-China Economic and Security Review Commission (2017), https://www.uscc.gov/

sites/default/files/Chris%20Demchak%20May%204th%202017%20USCC%

20testimony.pdf; see also Chris C. Demchak, Wars of Disruption and Resilience: Cybered Conflict, Power, and National Security (Athens, GA: University of Georgia Press, 2011).

43. Robert Bebber, “Treating Information as a Strategic Resource to Win the ‘Information

War,’” Orbis 61, no. 3 (2017). 44. See, for instance, Morgan Chalfant, “Senators Demand Cyber Deterrence Strategy from

Trump,” The Hill, March 8, 2018, http://thehill.com/policy/cybersecurity/377410- lawmakers-demand-cyber-deterrence-strategy-from-trump.

45. See Jon Lindsay, “Stuxnet and the Limits of Cyber Warfare,” Security Studies 22, no. 3 (2013); Rebecca Slayton, “What Is the Cyber Offense-Defense Balance? Conceptions,

Causes, and Assessment,” International Security 41, no. 3 (2017). 46. Dale Peterson, “Offensive Cyber Weapons: Construction, Development, and Employ-

ment,” The Journal of Strategic Studies 36, no. 1 (2013). 47. Gartzke and Lindsay, “Weaving Tangled Webs.”

48. Kello, The Virtual Weapon and International Order, 179. 49. Harknett and Goldman, “The Search for Cyber Fundamentals.”

50. See, inter alia, Martin Libicki, Cyberspace in Peace and War; Robert Jervis, “Some Thoughts on Deterrence in the Cyber Era.”

51. See, for instance, Brandon Valeriano and Ryan C. Maness, Cyber War Versus Cyber Reali- ties: Cyber Conflict in the International System (New York, NY: Oxford University Press, 2015), 48.

52. Joseph Nye, “Deterrence and Dissuasion in Cyberspace,” International Security 41, no. 3 (2017). Jeffrey Cooper makes a similar argument for “networked deterrence;” see Jeffrey

R. Cooper, “A New Framework for Cyber Deterrence,” in Cyberspace and National Security: Threats, Opportunities, and Power in a Virtual World ed. Derek Reveron (Washington, DC: Georgetown University Press, 2012).

53. Uri Tor, “‘Cumulative Deterrence’ as a New Paradigm for Cyber Deterrence,” Journal of Strategic Studies 40, no. 1–2 (2017).

54. Defense Science Board Task Force on Cyber Deterrence (Washington, DC: U.S. Department of Defense, 2017), https://www.acq.osd.mil/dsb/reports/2010s/dsb-cyberdeterrencereport_

02-28-17_final.pdf.

55. Kello, The Virtual Weapon and International Order. 56. See, for instance, Michael P. Fischerkeller and Richard J. Harknett, “Deterrence Is Not a

Credible Strategy for Cyberspace,” Orbis 61, no. 3 (2017).

Wyatt Hoffman

150 THE WASHINGTON QUARTERLY ▪ SPRING 2019

57. For instance, Martin Libicki argues that the fact that the United States has not suffered from

any cyberattack significant enough to “merit retaliation” suggests it “may already be profiting

from an implicit deterrence stance that warns other states against any seriously hostile act.”

See Martin Libicki Cyberspace in Peace and War (Annapolis, MD: Naval Institute Press, 2016), 223; see also, Jason Healey “Cyber Deterrence Is Working – So Far,” The Cipher Brief, July 23, 2017, https://www.thecipherbrief.com/cyber-deterrence-is-working-so-far.

58. Dorothy E. Denning, “Rethinking the Cyber Domain and Deterrence,” Joint Force Quar- terly 77 (2nd Quarter 2015).

59. Fischerkeller and Harknett, “Deterrence Is Not a Credible Strategy for Cyberspace.”

60. See Scott Jasper, Strategic Cyber Deterrence: The Active Cyber Defense Option (London: Rowman & Littlefield, 2017).

61. “Achieve and Maintain Cyberspace Superiority: Command Vision for US Cyber

Command,” United States Cyber Command (2018), https://www.cybercom.mil/Portals/

56/Documents/USCYBERCOM%20Vision%20April%202018.pdf?ver=2018-06-14-

152556-010.

62. “Department of Defense Cyber Strategy,” United States Department of Defense (2018),

https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_

SUMMARY_FINAL.PDF.

63. See, for instance, Jason Healey, “Triggering the New Forever War, in Cyberspace,”

The Cipher Brief, April 1, 2018, https://www.thecipherbrief.com/triggering-new- forever-war-cyberspace; Lyu Jinghua, “A Chinese Perspective on the Pentagon’s

Cyber Strategy: From ‘Active Cyber Defense’ to ‘Defending Forward,’” Lawfare, October 19, 2018, https://www.lawfareblog.com/chinese-perspective-pentagons-

cyber-strategy-active-cyber-defense-defending-forward; and Ben Buchanan and

Robert D. Williams, “A Deepening U.S.-China Cybersecurity Dilemma,” Lawfare, October 24, 2018, https://www.lawfareblog.com/deepening-us-china-cybersecurity-

dilemma.

64. Michael P. Fischerkeller and Richard J. Harknett, “Persistent Engagement, Agreed Com-

petition, Cyberspace Interaction Dynamics and Escalation,” Institute for Defense Analysis

(2018), https://www.ida.org/idamedia/Corporate/Files/Publications/IDA_Documents/

ITSD/2018/D-9076.pdf.

65. A few notable examples include George Perkovich and Ariel E. Levite (eds.), Under- standing Cyber Conflict: 14 Analogies (Washington, DC: Georgetown University Press, 2017); Ben Buchanan, The Cybersecurity Dilemma: Hacking, Trust and Fear Between Nations (New York, NY: Oxford University Press, 2016); Tim Maurer, Cyber Mercen- aries: The State, Hackers, and Power (New York, NY: Cambridge University Press, 2017).

66. Michael Fischerkeller and Richard Harknett, “Persistent Engagement and Tacit Bargain-

ing: A Path Toward Constructing Norms in Cyberspace,” Lawfare, November 9, 2018, https://www.lawfareblog.com/persistent-engagement-and-tacit-bargaining-path-toward-

constructing-norms-cyberspace.

67. Building a Defensible Cyberspace: Report of the New York Cyber Task Force, Columbia School of International and Public Affairs, (2017), https://sipa.columbia.edu/sites/default/files/

3668_SIPA%20Defensible%20Cyberspace-WEB.PDF.

68. Kello, The Virtual Weapon and International Order, 238. 69. Fischerkeller and Harknett, “Persistent Engagement and Tacit Bargaining.”

Is Cyber Strategy Possible?

THE WASHINGTON QUARTERLY ▪ SPRING 2019 151

70. Michele Flournoy and Michael Sulmeyer, “Battlefield Internet: A Plan for Securing Cyber-

space,” Foreign Affairs (2018) https://www.foreignaffairs.com/articles/world/2018-08-14/ battlefield-internet.

71. Kate Charlet, “The Pentagon’s Cyber Strategy: What’s New and What it Means,” The

Cipher Brief, Sept. 20, 2018, https://www.thecipherbrief.com/the-pentagons-cyber-

strategy-whats-new-and-what-it-means.

72. For a brief overview of potential broader trajectories of cyberspace, see, for instance, Jason

Healey, “The Five Futures of Cyber Conflict and Cooperation,” Atlantic Council, 2011, https://www.atlanticcouncil.org/images/files/publication_pdfs/403/121311_ACUS_

FiveCyberFutures.pdf.

73. Lawrence Freedman, Strategy: A History (New York, NY: Oxford University Press, 2013), 610.

Wyatt Hoffman

152 THE WASHINGTON QUARTERLY ▪ SPRING 2019