No Shortcuts: Why States Struggle to Develop a Military Cyber-Force
Max Smeets, Hurst, £21.99

IN 2018 Washington undertook a strategic shift that will probably have gone unnoticed outside security circles, but which revealed its hegemonic pretensions, if only in a virtual sense.  

The US government changed the posture of its cyber warfare capability from one that was largely deterrent to one that embraced the extra-territorial American reflexes that we are so familiar with in other spheres of life. 

No longer were its cyber capacities to be solely defensive and bogged down by bureaucratic chains of command and political checks and balances, but streamlined, persistent, and proactively aggressive.

This change was undoubtedly a response to the increasing number and sophistication of cyber threats faced by the Pentagon. It is no secret that Russia, for example, has used cyber operations to subvert elections in the US with little restraint. 

But the new strategy was also a response, as Max Smeets explores, to a characteristic of this type of defence capacity which requires practitioners to remain constantly engaged in a non-warfighting context in order to retain the ability to act when the shooting starts.

As Smeets observes about this grey zone of conflict that exists below armed engagement, a critical question is the relationship between the day-to-day mission of a cyber command, and its ability to develop and maintain a certain capability. If cyber warriors are not on a permanent war footing, how can they stay on top of dynamically changing threats in a digitised world?

This question must be answered not only by the US but also by rivals such as Russia and China as well as smaller states with limited resources who recognise the risks they face from rogue actors.

The author examines the multiple barriers that obstruct a state’s ambition to create effective military cyber operations, from diverse legal hurdles, to operations and limits on finance, to the simple fact that retaining talented staff is difficult. Staff retention issues become even more important for cyber commands that see their mission as existing only in wartime, and from a traditional “defence” posture aimed at a foreign enemy.

Smeets writes: “A cyber command that is hampered in being active on a day-to-day basis, where operators may not feel they receive the opportunity to constantly learn and accumulate new skills, is unlikely to retain the relevant people.”   

These factors help to explain the US strategic shift in 2018. By elevating the status of its cyber command, USCYBERCOM, and rescinding obstacles to deployment put in place to avoid escalation in exchanges with adversaries, Donald Trump’s administration loosened the tethers of control from offensive activity.

The new perspective, given momentum by Joe Biden, can be likened to the emergence of a permanent but unseen war, in which the only way to survive in a lawless battlefield shrouded in darkness is to attack first, regardless of such inconvenient constraints as sovereignty.

Based on the novel principle of “defend forward” — a direct US response to any challenge  to its supremacy in cyberspace — it tasks the military with offensive ops before perceived hostile acts occur. It is what General Joseph Dunford, at the time chairman of the US Joint Chiefs of Staff, called “defending with an offensive mindset.”

If there is any doubt about what this means in practice, the Iraq war offers a reference: the Bush administration justified its pre-emptive strike on grounds anchored in a national security doctrine, but which authorises unilateral offensive action in a way that is clearly questionable.

Given that such a doctrine runs the obvious risk of escalation, one might forgive US allies for feeling uneasy. 

Smeets writes: “With the potential exception of the United Kingdom, most allies seem uncomfortable adopting a similar, ‘persistent engagement’ strategy, as it is perceived as overly aggressive and clashes with their understanding of sovereignty as a legal principle in cyberspace.”

Yet, as ever, the dominant US position in Western defence changed the terms of debate irreversibly, and since 2018 NATO has begun to consider offensive cyber operations in tandem with a host of member countries such as the UK and The Netherlands.

Nonetheless, the US’s strategic shift did address the key dilemma facing all countries that have a military cyber force about their missions, and especially small states with limited resources and are unlikely to benefit from technology transfers. 

And it has concrete policy implications, not least in the area of cyber disarmament, which indicates the need for far greater transparency about their offensive activities among all countries that undertake militarised cyber ops.