The Missing Pieces of the US Cyber Strategy of ‘Persistent Engagement’

Recent Features

Flashpoints | Security

The Missing Pieces of the US Cyber Strategy of ‘Persistent Engagement’

Washington has to take steps to square its ambitions with the differing perceptions of its Indo-Pacific partners.

The Missing Pieces of the US Cyber Strategy of ‘Persistent Engagement’
Credit: Pixabay

The new U.S. cyber strategy of Persistent Engagement rests on two fundamental pillars: first, the pre-emptive “defend forward” imperative. This underpins the U.S. Cyber Command’s increasingly offensive posture to operate everywhere and anytime, encompassing both benign and proactive cyber-enabled operations outside U.S. networks. Second is an awareness of the changing strategic competition in cyberspace, which largely occurs below the threshold of armed conflict. Underscored by the interconnected and interactive nature of the cyber domain, Persistent Engagement views malicious cyber activities as part of more effective and interlinked campaigns that are not isolated or episodic, but instead are exploitative and cumulative.

First announced in 2018, the Persistent Engagement strategy is the Trump administration’s alternative to the defense-oriented cyber strategy developed during the Obama era, anchored in operational restraint and a norm-based, deterrent approach.

For the U.S. Persistent Engagement strategy to succeed, the U.S. Cyber Command recognized that Washington could not do it alone. The strategy’s success requires collaborative partnership across government, industry, and academia, and most importantly, alongside efforts from allies and partners aimed at advancing collective cybersecurity.

With the Biden administration claiming now that “America is back,” the path forward is clear: the U.S. will be working with its allies and partners to achieve its foreign policy objectives in the current era of great power competition, especially in the contested cyber domain.

Supposing the U.S. genuinely desires to advance collective cybersecurity, it should court support in the Indo-Pacific, and temper its unilateral tendencies. In that case, three factors are highlighted, all of which sit alongside practical cyber policy engagements.

First, the U.S. must consider the overall strategic context of the region.

Although Persistent Engagement was designed to address heightened competition between the U.S. and adversaries like China, Russia, North Korea, and Iran, obviously the threat calculations of states in the Indo-Pacific, especially in Southeast Asia, diverge. Small powers are not interested in being caught in the cross fire that might ensue from offensive cyber operations or any direct perceptions that the U.S. is bent on containing or constraining China.

A wholesale export of the Persistent Engagement strategy is therefore impossible. But a gentle persuasion from the U.S. toward ASEAN through a tailored-fit approach in addressing the region’s top cybersecurity concerns, like Advanced Persistent Threat campaigns (APTs), could be a positive step. Linking the net-positive benefits of the strategy in combating APTs could reorient existing U.S. cyber capacity-building activities toward a more robust form of technical threat analysis and intelligence-sharing, at both regional and bilateral levels.

Such efforts could augment Southeast Asia’s capacity to transcend the annunciation of norms and international law in cyberspace into tangible solutions like the mitigation of the decades-long threat campaigns relating to the South China Sea.

The second and often overlooked aspect is the clear and well-defined articulation of the strategy’s on-the-ground implications. The pronouncement that the U.S. strategy will operate on persistent force is very top-down and all-encompassing. Despite its narrow emphasis on long-term and objective-based targets, the need to establish a clear baseline on the concrete scope of the strategy – on what it aims to protect, disrupt, or degrade – is paramount. It will allow more advanced and cyber-capable allies like Japan, Australia, and South Korea to contribute productively to executing the strategy. As it stands, using the blanket notion of gray-zone operations has been quite problematic in framing areas of policy coordination and resource allocation in traditional and well-defined domains, let alone in cyberspace.

Undoubtedly, the dramatic changes in U.S. Cyber Strategy will affect Washington’s existing cooperation with Japan and Australia, with whom it shares deeply entrenched cybersecurity commitments. This major shift necessitates a renewed discussion of moving legitimate cyber operations from the “red space” to the “gray space,” in order to impose costs on potential attackers. It will also demand the reassessment of existing markers such as indicators of compromise, intrusion detections, malware signatures, and social engineering tricks, among other things, in the context of joint operations, intelligence sharing, and capacity building. These will require a consistent determination of threat sources and elevated threat levels in order to arrive at actionable intelligence and launch a proportionate action or response.

Relatedly, the third factor centers on trust and legitimacy. While other less capable countries may see the benefits of Washington’s Persistent Engagement strategy, other nations, not excluding U.S. allies and partners, might be concerned about the effects generated by the U.S.’ operations in their networks and systems. Furthermore, the absence of a clear-cut U.S. declaratory policy on the relationship between the U.S. Cyber Command’s offensive cyber operations and state sovereignty raises questions about consent and international law.

With its fundamental goal to operate globally, seamlessly, and continuously to disrupt and degrade adversaries in cyberspace, the U.S. omnipresence in the cyber domain may lead to diplomatic friction, which over time erodes trust – something that adversaries can exploit for their gain. Repeatedly, proponents of the Persistent Engagement have emphasized its non-escalatory approach. However, ruling out the plausibility of escalation is a near-impossible outcome given the uncertainty of human perceptions or calculations.

To mitigate any unintended consequences and preserve a level of transparency and predictability, the U.S. must be able to reengineer its confidence building measures to bring them in line with the underlying logic of its new cyber strategy. The proposition to upgrade the 2011 International Strategy for Cyberspace to reflect the increasing prevalence of gray zone conflict, while emphasizing preventive diplomacy to diffuse tension or resolve any misunderstanding, would be an exciting prospect. Over the short-to-medium term, setting up notification frameworks to facilitate the continuous exchange of information must be prioritized. Over the long haul, squarely upholding sovereignty within the bounds of international law via a more defined U.S. declaratory policy on its cyber operations could ameliorate skepticism and misinterpretation.

Conceiving, planning, consolidating, and implementing the U.S. Persistent Engagement strategy across the government, industry, and academia will not be easy, while socializing U.S. allies and partners into the strategy under the banner of collective cybersecurity will be more difficult still. The key is for the U.S. to be more persistently and consistently engaged in both the domestic and international spheres.