The U.S. Should Make “Leverage” the Foundation of Its Cyber Strategy

Justin Sherman (@jshermcyber) is a fellow at the Atlantic Council’s Cyber Statecraft Initiative. Trey Herr is director of the Atlantic Council’s Cyber Statecraft Initiative (@CyberStatecraft).

The SolarWinds incident spurred a flurry of debates about whether the U.S. Department of Defense’s 2018 “defend forward” strategy should, or could, have prevented the calamity. Putting aside that the Russian operation was cyber espionage—stealing data rather than denying, disrupting, degrading, or destroying systems—some of these arguments reflected an idea that the United States should defend forward or “persistently engage” everywhere, all the time.

However, this idea is not only unrealistic, with resource constraints (in personnel, target information, access to adversary networks, organizational capacity, etc.) limiting the collective reach of U.S. cyber operations at any given time; it also ignores the concept of points of leverage in the broader internet ecosystem.

“Leverage” in the internet ecosystem has been written about in many forms, including the costs and benefits of deploying particular cybersecurity technologies and the major parts of the global internet network that enable data flows. Yet discourse on persistent engagement that seems to suggest a constant engagement on all parts of the network ignores the very idea of leverage that should be the foundation for the conversation itself—understanding how defensive and offensive actions can shift points of leverage on the internet.

The New York Cyber Task Force’s 2017 report discusses the idea of leverage, for instance, in a somewhat productized sense vis-à-vis software and internet security. Cybersecurity’s most successful innovations, they wrote, have provided leverage in that “they operate on an internet-wide scale and impose the highest costs (roughly measured in both dollars and effort) on attackers with the least cost to defenders.” Encryption, automatic software updates, and secure-by-design software were just three examples provided by the task force. The cost-benefit of their deployment favors the defender.

A new report from the Atlantic Council on lessons from the Sunburst campaign likewise argues that government and industry should embrace an idea of “persistent flow” in cybersecurity, “emphasizing that effective cybersecurity is more about speed, agility, and concentrated action” than trying to do everything, everywhere, all at once. This concentration is necessary because just as there are cybersecurity technologies that give leverage to a defender, some vectors of compromise give disproportionate leverage to attackers.

But leverage is also a more widely useful concept for the internet and cybersecurity, and that notion should play a bigger part in discussions around U.S. cyber strategy. Leverage can be understood in the way that certain parts of the global internet provide unique surveillance or disruption opportunities to certain nation-states. Henry Farrell and Abraham Newman write in their 2019 article “Weaponized Interdependence” [PDF] about “panopticons” in networks, which states can use to gather strategically valuable information, and “chokepoints” in networks, which provide opportunities to “deny network access to adversaries.” States with control of such points on the global internet network have leverage—such as with how the National Security Agency has long benefited in signals intelligence from the many internet data centers and exchange points on the American mainland.

Similarly, points in the global internet architecture can serve as places of leverage for nation-states looking to secure them or exploit their vulnerabilities. Data routing security is one such example. The Domain Name System, the internet’s “phone book” for addressing traffic, and the Border Gateway Protocol, the internet’s “GPS” for routing traffic, were both designed with a preference for speed and reliability over security. Both systems are crucial to the global internet’s very function and yet remain fundamentally insecure—vulnerable to outright manipulation. They are also both areas where small changes would yield massive gains in cybersecurity, underscoring that, as we previously argued, one of the best ways to approach a U.S. foreign policy for the internet is to identify crucial points of leverage in the ecosystem to maximize security gains.

This raises the distinction between chokepoints and leverage, however, where leverage provides highly scalable effects on cybersecurity (i.e., small inputs yielding outsized change across a system or ecosystem) and imposes significant costs for comparatively small input. Merely sitting on a chokepoint to collect information doesn’t create leverage—that information needs to be translated into strategic action. Information sharing about threats, absent a strong model for interagency collaboration and a specific desired end state, is not enough. Points of leverage on the internet can shift at varying speeds, whether from defensive and offensive cyber actions or physical alterations to the internet’s topology. U.S. cyber strategy should therefore emphasize that steps within the cyber domain to exploit or protect those points of leverage “do more than alter the position of each actor involved—they also alter the cyber environment itself.”

The Sunburst campaign provides myriad reasons for the U.S. government and industry to reassess their policies and practices on the likes of both cloud and supply chain security [PDF]. Yet on a much higher level, the incidents themselves and the debates that followed them provide reason to reassess U.S. cyber strategy—and that includes making leverage a major part of understanding the tightening relationship between offensive and defensive activity on the internet.