The U.S. Should Make Leverage the Foundation of Its Cyber Strategy – Council on Foreign Relations

admin on May 1, 2021 Leave a Comment

Justin Sherman (@jshermcyber) is a fellow at the Atlantic Councils Cyber Statecraft Initiative. Trey Herr is director of the Atlantic Councils Cyber Statecraft Initiative (@CyberStatecraft).

The SolarWinds incident spurred a flurry of debates about whether the U.S. Department of Defenses 2018 defend forward strategy should, or could, have prevented the calamity. Putting aside that the Russian operation was cyber espionagestealing data rather than denying, disrupting, degrading, or destroying systemssome of these arguments reflected an idea that the United States should defend forward or persistently engage everywhere, all the time.

More on:

Cybersecurity

Digital Policy

However, this idea is not only unrealistic, with resource constraints (in personnel, target information, access to adversary networks, organizational capacity, etc.) limiting the collective reach of U.S. cyber operations at any given time; it also ignores the concept of points of leverage in the broader internet ecosystem.

Net Politics

CFR experts investigate the impact of information and communication technologies on security, privacy, and international affairs.2-4 times weekly.

Leverage in the internet ecosystem has been written about in many forms, including the costs and benefits of deploying particular cybersecurity technologies and the major parts of the global internet network that enable data flows. Yet discourse on persistent engagement that seems to suggest a constant engagement on all parts of the network ignores the very idea of leverage that should be the foundation for the conversation itselfunderstanding how defensive and offensive actions can shift points of leverage on the internet.

The New York Cyber Task Forces 2017 report discusses the idea of leverage, for instance, in a somewhat productized sense vis--vis software and internet security. Cybersecuritys most successful innovations, they wrote, have provided leverage in that they operate on an internet-wide scale and impose the highest costs (roughly measured in both dollars and effort) on attackers with the least cost to defenders. Encryption, automatic software updates, and secure-by-design software were just three examples provided by the task force. The cost-benefit of their deployment favors the defender.

A new report from the Atlantic Council on lessons from the Sunburst campaign likewise argues that government and industry should embrace an idea of persistent flow in cybersecurity, emphasizing that effective cybersecurity is more about speed, agility, and concentrated action than trying to do everything, everywhere, all at once. This concentration is necessary because just as there are cybersecurity technologies that give leverage to a defender, some vectors of compromise give disproportionate leverage to attackers.

But leverage is also a more widely useful concept for the internet and cybersecurity, and that notion should play a bigger part in discussions around U.S. cyber strategy. Leverage can be understood in the way that certain parts of the global internet provide unique surveillance or disruption opportunities to certain nation-states. Henry Farrell and Abraham Newman write in their 2019 article Weaponized Interdependence [PDF] about panopticons in networks, which states can use to gather strategically valuable information, and chokepoints in networks, which provide opportunities to deny network access to adversaries. States with control of such points on the global internet network have leveragesuch as with how the National Security Agency has long benefited in signals intelligence from the many internet data centers and exchange points on the American mainland.

More on:

Cybersecurity

Digital Policy

Similarly, points in the global internet architecture can serve as places of leverage for nation-states looking to secure them or exploit their vulnerabilities. Data routing security is one such example. The Domain Name System, the internets phone book for addressing traffic, and the Border Gateway Protocol, the internets GPS for routing traffic, were both designed with a preference for speed and reliability over security. Both systems are crucial to the global internets very function and yet remain fundamentally insecurevulnerable to outright manipulation. They are also both areas where small changes would yield massive gains in cybersecurity, underscoring that, as we previously argued, one of the best ways to approach a U.S. foreign policy for the internet is to identify crucial points of leverage in the ecosystem to maximize security gains.

This raises the distinction between chokepoints and leverage, however, where leverage provides highly scalable effects on cybersecurity (i.e., small inputs yielding outsized change across a system or ecosystem) and imposes significant costs for comparatively small input. Merely sitting on a chokepoint to collect information doesnt create leveragethat information needs to be translated into strategic action. Information sharing about threats, absent a strong model for interagency collaboration and a specific desired end state, is not enough. Points of leverage on the internet can shift at varying speeds, whether from defensive and offensive cyber actions or physical alterations to the internets topology. U.S. cyber strategy should therefore emphasize that steps within the cyber domain to exploit or protect those points of leverage do more than alter the position of each actor involvedthey also alter the cyber environment itself.

Digital and Cyberspace Update

Digital and Cyberspace Policy program updates on cybersecurity, digital trade, internet governance, and online privacy.Bimonthly.

The Sunburst campaign provides myriad reasons for the U.S. government and industry to reassess their policies and practices on the likes of both cloud and supply chain security[PDF]. Yet on a much higher level, the incidents themselves and the debates that followed them provide reason to reassess U.S. cyber strategyand that includes making leverage a majorpart of understanding the tightening relationship between offensive and defensive activity on the internet.

Read the rest here:
The U.S. Should Make Leverage the Foundation of Its Cyber Strategy - Council on Foreign Relations

Related Posts
Posted in Internet Security

Comments are closed.