The 1950 report by the National Security Council interpreted George F Kennan’s “warning about Soviet ideological expansionism as a warrant for a build-up and projection of American military strength, force-backed intervention in countries at risk of adopting communist government, and a framework for understanding and negotiating with the USSR.1 NSC-68 provided a compelling raison d’être for an arms race, reversal of political rhetoric about our war-time ally, proxy conflicts in Korea, Vietnam and transformed societies in two superpowers for the last half of the twentieth century.2
After nearly two decades since the collapse of the Soviet Union, a rejuvenated Russian Federation appears to be providing direct3 and indirect4 aegis for hostile interference in the domestic political processes of the United States and other NATO signatories.5 While attribution for attacks is extremely difficult, technical analysis of incidents suggest that the Kremlin may be using its elite military intelligence units, and supporting proxy actors to compromise technical infrastructure, steal secret communications and records, disseminate damaging highly suggestive true and untrue information in order to create distrust in the political processes of democratic states including our own. The wider American public is being introduced, through prolific reporting on investigations of domestic and international incidents of interference, to Russian subterfuge techniques collectively known as “активные мероприятия”6.7
As the domains of American strength is shifting industrial and commercial world to the information and services world, so has the national security threat landscape. The US still responds to threats to the homeland, its allies, and interests abroad with traditional tactical and strategic force, but most of those threats are from small, non-state actors. Increasingly the US is experiencing sustained and serious attacks in cyberspace from mysterious actors, but attacks with levels of sophistication that suggest state-level support. Commensurate with the rise in attacks, US federal agencies, commercial firms, research and educational institutions have increased the intensity of their efforts to harden their defenses, improve their incident response capability and strategize about how to protect American power in this new theater. The addition of the Russian Federation (RF or Russia) to set of established cyber-enemies, predominantly the People’s Republic of China (PRC or China) and the Democratic People’s Republic of Korea (DPRK or North Korea), invites the question about whether the US needs a more robust and coordinated strategy comparable to NSC-68.10 It also resulted in enormous environmental damage from the production of fissile material and ongoing proliferation issues. The Korean peninsula has been stuck in Cold War geopolitics for half a century. The expansion of NATO in the 1960s and again in the 1990s are sources of Soviet and now Russian frustration and distrust of the West.11
NSC-68 proposed a very active military posture against communism in the world, but it remains debatable whether the decline in communism and the fall of the Soviet Union can really be credited to what emerged from its recommendations. Andrew Marshall would come to find that the US made mistakes in its assessment of the level and sources of Soviet defense growth as well as it’s aims. In a piece for Foreign Policy Jeffrey Lewis writes, “Each side, the BMD study implied, was really racing with itself.” 12 Stephen Kotkin’s book Armageddon Averted challenges the opinion that the United States won the Cold War by actively resisting Soviet power, but instead, that their failure to modernize their economy in step with global trends, as well as to liberalize politically created an unsustainable future for the socialist juggernaut.13 NSC-68 makes a dispensable overture to the possibility that the USSR might “collapse from within,” and even makes modest effort to address the impact that a hawkish American government might have on society.14 Even cyberspace has Cold War origins. Arpanet and the TCP/IP stack was designed to create a communications network that could remain functional in the event of a nuclear attack.15 The decentralization that makes the system robust, low reliance on authentication, and non-proprietary foundations make cyberattacks easy to perform, hard to defend against, and hard to trace. While the damage from and imagined threats from cyberattacks are unquestionably benign when compared to the risk from a conventional or nuclear attack by a state, our increasing reliance on computer networks for state power must be considered and balanced as part of a comprehensive strategic posture.
US on Cyber Defense
It remains difficult to synthesize what the US strategy on cybersecurity is or how long any particular articulation will remain relevant. There is a secret-level Department of Defense (DOD) strategy document from 2006 available online that articulates one posture.16 In 2011 President Barack Obama issued International Strategy for Cyberspace17, and in late 2012 another National Strategy for Information Sharing and Safeguarding.18 A document much more like NSC-68 in its detail is the Cybersecurity Strategy and Implementation Plan (CSIP)19, from 2015 created by the Office of Management and Budget (OMB) with participation by the National Security Council, Department of Homeland Security and DOD among others. CSIP, unlike NSC-68, is focused domestically. Again, in late 2016 the Commission on Enhancing National Cybersecurity, assembled by President Obama largely from the private and higher education sectors, produced a 100-page Report on Securing and Growing the Digital Economy20. Four of the six “imperatives” from its list of recommendations are security-focused. There seem to be no end to the number of agencies involved in producing endless assessments and plans replete with broadly-framed guidelines, imperatives, directives and such. It is beyond the purview capability of this memo to exhaustively survey this publishing industry, suffice it to say it appears representative that the number and scope of productions suggest an industry-sized effort, which in turn suggests risks associated with coordination when a singular, authoritative strategy document cannot be cited as the source of common mandate.
If it is difficult to say what the US domestic or international strategy is with the clarity and force of something like NSC-68, perhaps budget data will be informative. A supplementary document focused on IT spending in President Trump’s 2018 budget proposes “nearly $95.7 billion” in spending, with 44.4% going to DOD and another 14.5% going to the Department of Homeland Security (DHS). That is 51.5% of all federal IT spending is going to the national security establishment. The supplement also claims that “for the first time, this Budget, includes discrete cyber program investments that align budget resources with the National Institute of Standards and Technology (NIST) Cybersecurity Framework.”21 The inclusion here suggests that perhaps NIST is leading the domestic effort with its draft document produced in May 2017. Of course, the DOD produced its own document in 2015.22 China, Russia, Iran and North Korea are all named in the document. The tone of the language regarding Russia is mild and the number of mentions is small compared to China. One would expect that to change in any near-term future documents by defense or security agencies in the US, if the tone of outrage in popular media is indicative of a real change in mood by the US. Of the four strategic goals outlined by the DOD the most aggressive posturing might be found in Strategic Goal IV; which is to provide “viable cyber options…to control conflict escalation and shape conflict environment.”23 The remainder of their public-facing message focuses on defense of its own capabilities and networks, homeland defense and partnerships with allies. Spending on IT isn’t as representative of capability growth as one might expect. IT hardware isn’t traditionally terribly expensive, but the research and development that creates technical advantages is and depends quite significantly on private sector discovery. An increase in spending coupled with the explosion in publication of IT/cybersecurity standards suggests an uptick in effort.
John Lewis Gaddis writes of NSC-68 that, “the whole point of the document had been to shake the bureaucracy, Congress and the public into supporting more vigorous action.”24 The goals of that action included, “projection into the Soviet world in such a way as to bring about an internal change in the Soviet system.”25 The success of these two measures is again instructively different. There is no doubt that the US was shaken into vigorous action, but what evidence is there that NSC-68, in its self-expressed aims and design was instrumental in the subversion of the Soviet system? The collapse of the Soviet Union seems to have been met by the broader US population, not with a sense of victory, but with a sense of relief that we need not worry so much about MAD or some mysterious Communist monster.
There has been no Hiroshima in cyberspace yet, nor has there been a Hungarian Revolution or Berlin Wall to galvanize the public. Perhaps the closest such antagonism is happening now with the possibility that we could discover our President was aided in his campaign to the office by the support of a state is arguably credited with taking “active measures” to weaken our democracy. Nor are Americans ready to empower the government with greater cyber strength after revelations that it grossly misused that power.26 The US seems to be able to respond to quickly to individual cyber vulnerabilities, but information technology is still a very dynamic field for innovation, and as such it is extremely difficult to adjudicate who is winning any kind of security competition or for how long. Because this field is so innovative, the global diffusion of technical capability so rapid, the weaponizable tools so affordable and the technical literacy of most citizens dangerously inadequate it may be impossible or too early yet for any state power to form a meaningful and lasting cyber strategy.