America’s allies are shifting: Cyberspace is about persistence, not deterrence
Something interesting is happening across America’s cyber allies.
From the United Kingdom to the Netherlands, Japan, South Korea, and Canada, there is an evolution in cyber strategic thought taking root. The United States spearheaded this fresh approach to securing national interests in and through cyberspace with its 2023 Defend Forward strategy, which built on a 2018 strategy pivot. Now America’s allies are building on this momentum.
The 2023 U.S. National Cybersecurity Strategy and the 2023 U.S. DoD Cyber Strategy recommitted the U.S. to make proactive persistent efforts to “limit, frustrate, and disrupt” adversary cyber activities short of war. To be sure, there are deterrence holdouts among some political leaders and in Congress, who believe speculatively that cyber activity below the threshold of use of force can be deterred. But those gaining operational experience across the globe are finding that the key to security in cyberspace is by proactively engaging in operations and campaigns that identify vulnerabilities, preclude exploitation, and enable mitigation.
The similarity in language across our country’s allies is fascinating, but not surprising, as it represents a convergence of operational experience that comes from lessons learned by working in and through cyberspace. Our allies have come to recognize that they can accumulate gains or prevent losses that may have strategic effect below the threshold of force if they follow the logic of cyber initiative persistence, or constantly looking for and maintaining a lead over cyber vulnerabilities and actively adjusting conditions to improve security.
The reason we still hear so much about deterrence theory is due to the presence of nuclear weapons and modern conventional forces. Cyber Persistence Theory (CPT), on the other hand, is tied to the features of cyberspace. State behavior, both in word and deed, is surging forward in line with the logic of CPT.
The United States has been forthright, stating in the DoD Cyber Strategy that it “will continue to persistently engage U.S. adversaries in cyberspace, identifying malicious cyber activity in the early stages of planning and development. We will track the organization, capabilities, and intent of malicious cyber actors. … The Department [of Defense] will continue to defend forward by disrupting the activities of malicious cyber actors and degrading their supporting ecosystems.”
Other countries have followed this line of thinking. The United Kingdom states that it “cannot leave cyberspace uncontested where adversaries operate with impunity. … To be secure in cyberspace also requires actively tackling the cyber dependencies of adversaries.” The Netherlands’ 2023 International Cyber Strategy notes that the country must “combat cyber threats … by moving from a reactive to a more proactive approach to cyber threats.” Japan is actually going through a process of constitutional amendment, building from its 2023 National Security Strategy’s pledge to “introduce active cyber defense for eliminating in advance the possibility of serious cyberattacks.”
Additionally, the North Atlantic Treaty Organization has also recognized the need for a different approach to cyberspace. It has officially recognized in its 2022 Strategic Concept that “cyberspace is contested at all times. Malign actors seek to degrade our critical infrastructure, interfere with our government services, extract intelligence, steal intellectual property and impede our military activities” and that a “cumulative set of malicious cyber activities could reach the level of armed attack and could lead the North Atlantic Council to invoke Article Five of the Washington Treaty, on a case-by-case basis.” This is significant: a 75-year-old institution whose bedrock security strategy has been deterrence is opening the door to cyber persistence.
America’s allies are recognizing that while deterrence remains the strategic anchor in the conventional and nuclear realms, it is not providing security in cyberspace. This is not mere narrative; it is reality. America’s allies are operationalizing persistence, in accordance with their laws, authorities, and organizational constructs and acting on their new cyber postures.
The adoption of Hunt Forward operations by Canada and the U.K. is an example of this proactive approach. Their purpose is to search, identify, and remove malicious actors, and mitigate network vulnerabilities before they are exploited for strategic effect. Such operations not only secure networks, but importantly build trust among partners. It’s a big deal to invite another country — regardless of how friendly — into one’s own networks given the interconnected nature of systems. Operating in this manner, therefore, has a cumulative gain for the operators and their respective countries.
The logic that security rests in persistently acting to anticipate vulnerability exploitation is not just a military approach. The U.S. Department of Justice’s efforts to disrupt both state actors and cybercriminals follow the same logic. A coordinated disruption campaign recently yielded a win against China’s Flax Typhoon, with the government takedown of the group’s Internet of Things botnet that consisted of more than 260,000 devices.
The states that are seeing benefits of this proactive approach are adopting a campaigning mindset. For example, the U.S. identifies campaigning in and through cyberspace as a critical element of its 2022 National Defense Strategy. This opens the aperture on how cyber capabilities can be supportive of larger national security goals. If you can undermine an adversary’s confidence that they can create sustained conditions that will come in handy during a militarized conflict, then they may never have the confidence to pursue a conflict with you. In this indirect manner, continuous cyber campaigning can bolster a deterrence effect, even though such proactive campaigning is the opposite of a restrained deterrence strategy.
Deterrence promises to react to something; but in cyberspace, it is all about being proactive. Since cyberspace is a realm of seeking ubiquitous opportunity to exploit, remaining persistently engaged in order to get in front of such exploitation is the logical strategic choice.
But states can make bad choices. They make them all the time when leaders misread the security environments and misapply strategies that just do not fit. The past six years are fascinating in that states are moving away from the misaligned strategy of deterrence to forms of persistence, because of what they are seeing operationally and because the logic that dominates the space is becoming clearer.
This trend toward initiative persistence adds one more hopeful scenario: that while cyberspace will remain heavily contested, it may simultaneously become more stable and contained in an agreed competition — rather than crisis and war — because everyone is now on the same playing field.
Richard J. Harknett, Ph.D., is the director of the Center for Cyber Strategy and Policy and co-director of the Ohio Cyber Range Institute at the University of Cincinnati.