By Emma Schroeder*, Simon Handler**, and Trey Herr***
hack was a cyber-espionage campaign, not the opening gambit of a new cyber war. Clarifying the intent of malicious cyber campaigns is critical because many cyber-espionage capabilities and points of access are indistinguishable from those required for destructive or disruptive ends. Currently, the cyber domain is marked by an ongoing intelligence contest, involving consistently engaged adversaries seeking to gain leverage over one another. By taking advantage of the interconnectedness of digital networks, malicious actors can place sectors of society under threat with relative ease. Often blending in with normal network traffic, malicious actors ultimately force network defenders to distinguish adversarial from friendly elements within the general online user population. The United States is therefore not at war but is instead locked in a persistent competition with countless adversaries pursuing their strategic goals in and through cyberspace.
These characteristics—interconnectedness, indistinguishability, and the ongoing intelligence contest—must inform US strategic thinking, which will benefit from the application of theory developed for other asymmetric conflicts, namely insurgencies. The value of leveraging counterinsurgency theory to develop a more nuanced understanding of competition in the cyber domain, and the US military’s role in that competition, accrue immediately. Counterinsurgency tactics are familiar to the US national security establishment, given its experience waging a mix of counterinsurgency and counterterrorism operations during the US-led post-9/11 wars in Iraq and Afghanistan and beyond. Cybersecurity, like counterinsurgency
, calls for the application of nonkinetic tools by both conventional and special operations forces that are typically most comfortable and adept at leveraging kinetic approaches to competition and conflict. Rather than treating cyber as a special or alien domain requiring massive investments in theoretical and doctrinal development, the US military can build on years of hard-won combat experience and veins of significant theoretical value from its experience with counterinsurgency.
In developing strategic responses to conflict within and through cyberspace, the United States should learn from past conflicts with similar characteristics. Population-centric counterinsurgency strategies provide a compelling lens. Though counterinsurgency has a distinct political character, the operational mechanics of insurgency and cyber operations have constructive similarities, including low barriers to entry
and attribution ambiguity. Concomitantly, an increasing
number of nonstate actors, both groups and individuals, have gained the ability to strike at valuable targets through cyberspace, despite their often-limited capabilities outside the cyber domain. Even (near-)peer competitors with substantial capabilities in other domains have turned to cyber operations as a lower-cost, variable-risk approach to achieve their desired ends, just as numerous states have chosen to sponsor terrorists and insurgent forces to the same end. Both insurgencies and cyber operations are characterized by sub-rosa engagements
between actors of various shapes, motivations, and capabilities, as well as contests for information and influence that expose populations to harm as adversaries take measures to obfuscate themselves to appear as noncombatants and friendly intermediaries.
A reoccurring characteristic of cyberspace, namely its interconnectedness and pervasiveness in modern society, exposes civilian populations to direct cyber conflict, thereby preventing policymakers from imposing protective jurisdictional or geographic boundaries. During World War II, strategic bombing illustrated how a belligerent could reach into an enemy’s heartland and directly target its economic production and its population’s morale. Cyberspace appears to have similar environmental vulnerabilities with its large and ever-increasing attack surface; more specifically, cyberspace has expanded
the sources of strategic power susceptible to an adversary’s attack. The ongoing epidemic of ransomware infections targeting healthcare facilities
and state and local government agencies
underscores how civilian entities and infrastructure are becoming increasingly exposed as more and more services and devices migrate to online operations and data storage. Critical infrastructure, financial institutions, and social media are owned and operated by private companies, but private sector vulnerabilities are a public national security concern because cyberattacks threaten the core of US national power.
Characterized by its interconnectedness, it may seem impossible to separate private vulnerabilities from national security concerns in cyberspace—similar attempts to separate civilian and combatant populations during counterinsurgency operations proved difficult. For example, South Vietnam’s strategic hamlet program
failed to create a reliable barrier between the population and the insurgents. However, just because separation is difficult in cyberspace does not mean that efforts to mitigate the risks to the civilian population and efforts to reduce the civilian attack surface are not effective. When malicious actors leverage or hide within legitimate network traffic and infrastructure, their behavior invites scrutiny on private internet service providers and other private intermediaries who carry the malicious traffic. Ultimately, because bad-faith actors often masquerade as friendly users, defenders are forced to solicit assistance and collaborate to distinguish between hostile and friendly parties.
Private companies are not only frequent targets of malicious activity—they can also be their vendors and enablers. Malicious actors build, adapt, and cobble together tools and resources accessible on the internet to carry out their activities. These tools range from the basic to the complex, provide malicious capabilities, and serve as force multipliers, enabling comparatively weak actors to have outsized impacts. Dual-use tools and resources range from Google Maps to online classes on hacking and from spoofing technology to hacker-for-hire
companies that create and sell sophisticated offensive cyber capabilities. These dual-use services both enable illicit activities and comprise a legitimate business sector. Coordination with private or on-the-ground groups is a common practice in counterinsurgency due to their proximity to the issue and higher commitment to security. However, a balance must be struck in this partnership, one that acknowledges the differing incentive structures of these actors—the tension between profit and national security, for example—as well as differing authorities. Private sector actors may have impressive capabilities to defend against and impose upon costs upon malicious actors, but they experience different incentives and are limited in their response options.
The problem of where to focus defensive efforts highlights a second characteristic of conflict in the cyber domain: distinguishability. Linking cyber intrusions to their perpetrators—or attribution—is difficult and requires a concerted effort by the victim or target. Even when evidence of an attacker’s origin is found, the evidence can be interpreted differently or may be part of a false flag effort to obscure attribution, leading to misidentification. Even when positive identification is made, the hazy nature of the attribution process limits how victims can respond. In offensive cyber operations, deception and stealth are the norm and attacks are executed with the aid of domain complexity, obfuscation, and masquerading, as well as by leveraging the normal traffic and open source tools of the general online population—including individual users and private companies. Malicious actors can mask or conceal their activity as legitimate network traffic, allowing malicious traffic to be processed alongside such legitimate traffic, making it difficult to distinguish a malicious actor from a normal user.
Critically, both counterinsurgency and the cyber domain require defenders to distinguish and separate the adversary from the general population. In the cyber domain, core tenets from the canon of counterinsurgency literature can help the United States better understand and develop a strategy for cyber conflict. An irregular
force is, by definition, fluid and integrated or enmeshed in the population. Mao’s concept
of a “people’s war” is a form of irregular warfare that relies on militias formed from the local population. Mao’s warfare concept emphasizes that an insurgency’s support structure is rooted in the local populace, who must tolerate insurgent activity and
potentially participate in the conflict. Ultimately, the counterinsurgent is faced with an enemy that is indistinguishable from the general population, meaning that every person can be a civilian, sympathizer, spy, or combatant—or any combination of these. Vo Nguyen Giap compared
the engaged populace as a “sea of armed people” ready to strike at the enemy from any and every point.
Specifically, the Galula
school of population-centric counterinsurgency is well-suited to understanding and explaining the cyber domain. A central tenet of David Galula’s model is the separation of the malicious actor from the population, eliminating its active and passive support base. Unlike other counterinsurgency theorists (e.g., C. E. Callwell
) Galula does not prioritize eliminating the insurgents, because an attrition-focused strategy assumes that the combatant and noncombatant are distinguishable. Similarly, for an attrition-style strategy to work in the cyber domain, accurate sorting between malicious actors and the general user population is necessary. Therefore, in irregular warfare and cybersecurity, a population-centric approach is more appropriate, as it acknowledges the distinguishability problem.
problem forces the incumbent to offset the adversary’s advantages—namely mobility, stealth, and an ability to blend in with regular network activity or the general population. US efforts to combat improvised explosive devices (IEDs) in Iraq are illustrative of how a large-scale traditional force can respond to an insurgent’s asymmetric advantage. The US military poured significant resources into hardening its defenses against IEDs at its points of greatest harm: individual soldiers and their vehicles. The United States also established the Joint IED Defeat Organization to swiftly develop novel technical solutions to IED detection and detonation jamming. These pinpoint defenses were developed alongside a substantial telephonic and video surveillance effort that enabled pattern-of-life analysis on suspected and known insurgents and allowed coalition forces to track the insurgents physically emplacing IEDs. Ultimately, the United States was able to develop tactics and techniques to better discriminate between civilian traffic and infrastructure and those that posed a threat (or potential threat) to coalition forces. The contours of the IED problem and the US response provide insight into how the United States can frame cybersecurity challenges and how it can respond to a dynamic threat—a strategic effort to address tactical weaknesses. Investing in research and development for creative point defenses while simultaneously conducting systematic digital forensics to track, map, and distinguish adversary patterns and behaviors from general user patterns in cyberspace can generate a dynamic and adaptive cyber defensive posture.
The Intelligence Contest
Similar to insurgent-held regions, the cyber domain is characterized by persistent low-grade engagement that falls below the threshold of war. The goal of most cyber operations is strategic access, enabling the operator to gather intelligence, to hold adversaries at risk, and to maintain freedom of maneuver in the competition space. However, the engagement dynamic in the cyber domain is partly explained by an intelligence contest
or a continual back and forth between adversaries, each trying to gain information on the other while poisoning the information available to its opponent. Each actor seeks out information not solely for the purpose of intelligence or strategic posturing but to create employable leverage over the adversary. Leverage is gained through positioning, in both the classic mechanical sense and through the compression of time—by degrading an opponent’s ability to identify and respond to new information, while speeding up one’s own adaptive cycle or deployment-of-force cycle.
Accurate identification of malicious actors in cyberspace, as in irregular warfare, relies entirely on the collection of reliable and actionable intelligence—without good intelligence, efforts to counter adversarial actions are less selective
, and therefore less effective. Adversaries operate within the context of an asymmetric intelligence contest: incumbent powers require exhaustive, reliable, and up-to-date threat maps, while attackers only need to identify a single vulnerability or attack vector. Offensive campaigns can leverage software supply chains, bots, and even cloud networks to take advantage of economies of scale and increase the blast radius of their attacks, forcing defensive measures to be omnipresent. In essence, cyberspace has a vast, porous attack surface—one that is expanding rapidly as more data, devices, and services are stored in, connected to, and run on the internet. A compounding factor in cyberspace is that most of the infrastructure defining the domain is privately owned and operated by private entities. Therefore, the institutions that detect, analyze, and track intrusions into their own or others’ networks are particularly valuable for intelligence gathering.
According to Galula
, seeking informational dominance, even in its most fleeting forms, requires counterinsurgents to seek cooperation from populations within proximity to information, and with the capacity to collect and share it. Indeed, the relative prowess
exhibited by the US Army’s 101st Airborne Division compared to the 4th Infantry Division at leveraging the local population for information in largely similar areas of operations and time periods in Iraq offers a compelling explanation for the much more successful counterinsurgency outcomes of the former unit. The civilian population had to weigh concerns for their own and their families’ security in deciding to provide information to troopers from the 101st. In the cyber domain, the intermediaries—entities like internet service providers and cloud service firms—similarly must balance their cooperation against competing business interests and risk aversion. Global companies like Microsoft and Amazon, are faced with a home jurisdiction that does not represent their worldwide market presence, leading them to shy away from appearing to be captive to US intelligence and law enforcement.
The cyber domain is characterized by constant competition and, like counterinsurgency, is not about tallies of wins and losses as much as it is about gaining strategic advantage over a competitor and exploiting its weaknesses. Insurgents do not go away but instead continue to evolve and develop new capabilities in response to defenders’ actions and countermeasures. Based on the US experience fighting insurgencies, it is impossible to be totally secure in cyberspace. Eventually, as demonstrated by Sunburst and the countless intrusions occurring daily, adversaries will find a vulnerability to exploit.
However, the United States can succeed in the cyber domain. To do so, it should accept the operational dynamics of the domain and engage to compete more effectively with adversaries. Emphasis should be placed on finding ways to encourage cooperation and codify relationships between the private and public sectors. Research and development efforts should focus on continuous innovation and rapid deployment of tactical countermeasures to shift the cyber landscape in favor of the defense, denying adversaries the ability to operate on their own terms. Organizations should rethink how they prioritize protecting their assets by first identifying and securing the assets of highest value to the adversary
and then focusing resources on defending assets of internal value to the organization. And when a breach does, inevitably, occur, organizations should be quick to detect, remediate, and adapt systems to prevent similar security failures in the future. Failure is inevitable and obvious when it happens, but success in the cyber domain is incremental and less visible. To succeed, the United States should embrace failure as a growth concept and fully accept that defenses are not ubiquitous. Failing enables organizations to adapt their mitigation efforts to better manage risk by focusing on vulnerable points of strategic value to the adversary. Developing a cyber strategy that is more informed by the theoretical tenets of counterinsurgency is a step toward an operationally sound and adaptive approach to cybersecurity.
*Emma Schroeder is an assistant director with the Atlantic Council’s Cyber Statecraft Initiative within the Scowcroft Center for Strategy and Security. Her focus is on developing statecraft and strategy for cyberspace that is useful for both policymakers and practitioners. Her research background is in military history, particularly the development of irregular warfare strategy.
**Simon Handler is an assistant director with the Atlantic Council’s Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security, focused on the nexus of geopolitics and international security with cyberspace. He is a former special assistant in the United States Senate, where he worked on foreign policy issues.
***Trey Herr, PhD, is the director of the Cyber Statecraft Initiative at the Atlantic Council. His team works on cybersecurity and geopolitics, including cloud computing, the security of the internet, supply chain policy, and cyber effects on the battlefield. Previously, he was a senior security strategist with Microsoft and a fellow with the Belfer Cybersecurity Project at Harvard Kennedy School.