Cybersecurity & Tech

Responding to Fischerkeller on Initiative Persistence

Herb Lin
Monday, December 13, 2021, 8:01 AM

The U.S. may be justified in seeking to contain China’s aggression and search for dominance in cyberspace with the 2018 USCC Command Vision. But it has yet to square this with a willingness to accept similar Chinese efforts to advance Chinese goals in cyberspace.

U.S. Cyber Command holding a joint cyberspace training exercise. (Photo by Fort George G. Meade)

Published by The Lawfare Institute
in Cooperation With
Brookings

I have struggled to find something with which I disagree in Michael Fischerkeller’s response to my thought experiment adopting the 2018 U.S. Cyber Command (USCC) Command Vision. A couple of such points are addressed below, but for the most part I agree with him. He does make one claim that I find surprising. He writes: 

[R]ecent State Department reports on China’s aggressiveness in and through cyberspace and plans for dominance suggest that a Chinese equivalent to the 2018 Command Vision would not be the least bit shocking—nor should it necessarily be viewed as alarming.

The first part of the quotation above (before the dash), is the consensus from most U.S. government people “in the know” regarding cyber. So Fischerkeller effectively concedes that the 2018 USCC Command Vision can be taken as a reasonable indicator of the United States’ aggressiveness in and through cyberspace and plans for dominance. After all, if a Chinese equivalent to the 2018 Command Vision indicates China’s aggressiveness in and through cyberspace and plans for dominance, why is the same not true for the United States and its intentions for cyberspace?

The second part of the quotation above (after the dash) is a very different matter. Fischerkeller may believe that a Chinese equivalent to the 2018 Command Vision should not necessarily be viewed as alarming, but China’s aggressiveness in and through cyberspace and plans for dominance have certainly been played up in various U.S. government documents as a threat. For example, the most recent Department of Defense report on Military and Security Developments Involving the People’s Republic of China (PRC) was issued in November 2021 and states that “[in the context of] the PRC’s strategy aims to achieve ‘the great rejuvenation of the Chinese nation’ by 2049 to match or surpass U.S. global influence and power, displace U.S. alliances and security partnerships in the Indo-Pacific region, and revise the international order to be more advantageous to Beijing’s authoritarian system and national interests, ... [and a strategy that] can be characterized as a determined pursuit of far-ranging efforts to expand the PRC’s national power,”

PLA researchers view strong cyber capabilities as winning modern wars in the information age, and believe[] cyber attack, defense, and reconnaissance should make up a single, integrated effort. 

PLA writings advocate seizing cyberspace superiority by using offensive cyber operations to deter or degrade an adversary’s ability to conduct military operations against the PRC, including during peacetime. PRC writings suggest cyber operations allow the PRC to manage the escalation of a conflict because cyber attacks are a low-cost deterrent. The writings also claim that cyber attacks demonstrate capabilities and resolve to an adversary. The PRC’s cyber attack operations target critical military and civilian nodes, including civilian critical infrastructure, to deter or disrupt adversary intervention, and retain the option to scale these attacks to achieve desired conditions with minimal strategic cost. Although the PRC considers its cyber capabilities and cyber personnel as lagging behind the United States in some areas, it is working to improve training and bolster domestic innovation to overcome these perceived shortfalls and advance cyber operations. 

As a result, PRC leaders seem to have increasing confidence in PLA cyber capabilities. Five years ago, Beijing established the [Strategic Support Force] with the goal to make progress applying information technology and developing strategic capabilities by 2020. More recently, China’s 2019 defense white paper and PLA academics describe China’s cyber capabilities as commensurate with its status as a major cyber country developing into a cyber power. This is consistent with China’s goal to become a world-leading cyber power by 2035. The PLA also appears to be integrating offensive and defensive cyber operations into its joint military exercises, possibly allowing its cyber personnel to gain combat experience while testing capabilities. 

A document issued by the National Security Agency, FBI and Department of Homeland Security notes: 

People’s Republic of China state-sponsored malicious cyber activity is a major threat to U.S. and Allied cyberspace assets. Chinese state-sponsored cyber actors aggressively target U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII). Some target sectors include managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions. These cyber operations support China’s long-term economic and military development objectives.

Fischerkeller correctly notes the major point of my thought experiment: “Why can’t any nation use persistent engagement and defend forward to advocate for its own set of preferred norms?” His answer to that question seems to be that they can, and the United States should not be alarmed about that. 

For what it’s worth, I am alarmed by Chinese intentions and capability development in cyberspace, and I certainly do not want China to adopt strategies that resemble “defend forward” and “persistent engagement” to advance norms of cyber sovereignty, Chinese Communist Party supremacy, internal censorship of ideas and writings and media deemed hostile to China interests, and the use of cyber activity outside Chinese networks to suppress dissent and the expression of other perceived anti-China sentiments.

Fischerkeller notes that the United States should “expect other states to develop cyber strategies based on this principle of initiative persistence,” and he goes on to note that other states may not “adopt a defend forward/persistent engagement cyber strategy.” True enough, but according to the logic of his argument, other states should be free to adopt exactly such a strategy, as I suggested in my fictional People’s Liberation Army Cyber Command Vision. Should they do so, the United States would have no grounds on which to object. Since they apparently have, why, according to Fischerkeller’s logic, is the United States objecting?

Far more minor is my disagreement with his point that how commanders choose to employ forces under their command in support of Defense Department or national strategic guidance is not equivalent to what the United States believes those forces “should be doing.” Indeed, I do claim that “the USCC Command Vision articulates what the United States believes Cyber Command should be doing in cyberspace.” 

In unpacking this disagreement, I find it is rooted in the following observation. Fischerkeller’s view is entirely consistent with how the Defense Department, and the United States more generally, formulates operating strategy and doctrine—it issues broad guidance from the highest levels of government (higher authority), and documents issued from units and organizations lower on the food chain are consistent with those documents but exercise a great deal of latitude within the policy envelope set by higher authority. According to this view, “the United States” refers to the highest authorities in the land but does not refer to their subordinates.

I disagree. I believe that even privates on the battlefield are representatives of the United States, and what they say they will do on the battlefield will be taken by others as a fair representation of what the United States believes they should be doing. That is, the United States is responsible and accountable for high-level policy guidance and for what its subordinate organizations and people do. There is no particular reason to suppose that others will carefully parse the entirety of our documents searching for inconsistencies, and if what subordinate organizations and people are saying does not reinforce high-level policy guidance, the United States runs a higher risk that other nations will misinterpret U.S. intentions by focusing primarily on the words from subordinate organizations and people. They may do so for propaganda purposes, which is bad enough, but even worse, they may come to believe their worst-case interpretations. 

I recognize the rationale and logic behind Fischerkeller’s point of view, and I even understand its desirability. But the fact of the matter is that it simply does not account for the political reality that Defense Department documents are read by many others outside the Defense Department orbit. In particular, the Chinese (and others from other nations) are audiences too, and how they react to U.S. documents plays some role in their planning and orientation. It may indeed be an “exercise in redundancy” for commanders’ vision statements to repeat various caveats and restrictions contained in policy documents from higher authority, but paper and ink (and even bytes in a PDF file) are quite cheap, and including them would take away at least one excuse for adversaries of the United States to interpret U.S. vision statements as being hostile and aggressive.

I conclude by reiterating the basic point of my original post. The United States may well be justified in seeking to contain China’s aggression and search for dominance in cyberspace with the 2018 USCC Command Vision. But it has yet to square this with a willingness to accept similar Chinese efforts to advance Chinese goals in cyberspace. It is one thing for the United States to assert that U.S. goals in cyberspace are benign and peaceful and that Chinese goals are evil and aggressive. It is quite another for the United States to assert that China knows that U.S. goals are benign and peaceful and that China knows that Chinese goals are evil and aggressive. The first assertion may be true, but the second is beyond the pale of plausibility. Fischerkeller did not make the second assertion, but the United States—in its various public statements—has certainly implied it.


Dr. Herb Lin is senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University. His research interests relate broadly to policy-related dimensions of cybersecurity and cyberspace, and he is particularly interested in and knowledgeable about the use of offensive operations in cyberspace, especially as instruments of national policy. In addition to his positions at Stanford University, he is Chief Scientist, Emeritus for the Computer Science and Telecommunications Board, National Research Council (NRC) of the National Academies, where he served from 1990 through 2014 as study director of major projects on public policy and information technology, and Adjunct Senior Research Scholar and Senior Fellow in Cybersecurity (not in residence) at the Saltzman Institute for War and Peace Studies in the School for International and Public Affairs at Columbia University. Prior to his NRC service, he was a professional staff member and staff scientist for the House Armed Services Committee (1986-1990), where his portfolio included defense policy and arms control issues. He received his doctorate in physics from MIT.

Subscribe to Lawfare