The Democratic People’s Republic of Korea has illicitly generated $2 billion to upgrade its weapons of mass destruction and missile programs by employing cyber means to force the transfer of funds from financial institutions and cryptocurrency exchanges. North Korea now has a missile capable of striking any part of U.S. mainland territory. China has cushioned declining economic growth and sustained the Communist Party’s legitimacy with an extensive campaign of cyber-enabled intellectual property theft and “re-innovation,” causing estimated losses to the U.S. economy ranging from $250 billion to $600 billion annually. Chinese operators recently targeted health care, pharmaceutical, and research sectors working on COVID-19 response. These unilateral, ongoing cyber campaigns have not coerced the United States (or any other state) to cede strategic ground to North Korea or China, and yet strategic ground has been secured or gained by each. That states are achieving strategic outcomes primarily through non-coercive cyber behavior has important policy and strategy implications for the United States — which grounds its national cyber strategy in coercion theory.
In particular, suggestions that declaratory policy and stronger signaling should be a central focus in national cyber strategy are misplaced because they derive from coercion theory, which argues one can influence an adversary’s strategic decision calculus through threatening to impose or imposing costs. Many observers and scholars concede that strategic coercive bargaining is difficult to do in the cyber realm because of organic technical features of cyberspace, including, but not limited to, ease in masking attribution, near-constant modifications and upgrades, and an extraordinary signal-to-noise ratio. And others argue that states’ cyber behaviors to date, including North Korea’s and China’s, have not been coercive in character. Yet a tendency to derive central cyber strategic remedies based on coercion theory endures. This pattern should be broken lest the United States run full speed toward cyber strategic failure.
It follows that the salience of strategic bargaining concepts associated with coercion theory — deterrence, compellence, signaling, brinkmanship, cost imposition, and escalation — should also be less salient in national cyber strategy. A lesser-studied strategic bargaining concept — the fait accompli — better describes the way most states behave in cyberspace, albeit still imperfectly. Moreover, the strategic logic behind the fait accompli aligns with the structural imperative and strategic incentives identified by cyber persistence theory — the theory prescribing a strategic approach of persistent engagement. It thus provides additional reason for committing to persistent engagement, and adopting its core strategic principle of seizing the initiative in setting the conditions of security, as an anchor for national cyber strategy.
The Fait Accompli
Dan Altman’s research on the fait accompli in terrestrial disputes notes that James D. Fearon, in reviewing the literature on strategic interaction during crises, drew a basic distinction between crises as competitions in risk-taking and crises as competitions in tactical cleverness (i.e., as attempts to outmaneuver the adversary). Fearon argued for the importance of both, but focused on the former. International relations theorists leveraged Fearon’s insights on competitions in risk-taking to develop a strategic bargaining paradigm that places central emphasis on the concepts of coercion, signaling resolve, brinkmanship, and escalation. It was natural to adopt these concepts to describe and explain state cyber behaviors. But many have argued those concepts fail to explain most state cyber behavior short of armed conflict. Fearon’s less-explored alternative better describes this behavior; its premise is captured in the strategic bargaining concept of the fait accompli.
The fait accompli is described with little variance in international relations strategic bargaining literature. Altman says the “fait accompli imposes a limited unilateral gain at an adversary’s expense in an attempt to get away with that gain when the adversary chooses to relent rather than escalate in retaliation.” Alexander George describes it as altering the status quo in one’s favor through a quick decisive transformation of the situation that avoids unwanted retaliatory escalation. A recent illustrative example is Russia wresting the Crimean Peninsula from Ukraine in February 2014. Altman uncomfortably bins the fait accompli under coercive bargaining, but only because faits accomplis in the conventional strategic environment (i.e., the terrestrial frame) normally represent the failure of deterrence.
The strategic logic behind the fait accompli in terrestrial disputes hinges on finding vulnerabilities in “red lines.” Altman defines red lines as the part of a coercive demand that distinguishes compliance from violation. When red lines are viewed as arbitrary, imprecise, incomplete, or unverifiable, states are incentivized to act unilaterally to achieve their limited desired gain. In terrestrial disputes, red lines are usually anchored on a disputed border. India and Pakistan, for example, have clashed over Kashmir’s status and border several times, with both making claims to the whole of Kashmir but, today, controlling only parts of it — territories recognized internationally as “Indian-administered Kashmir” and “Pakistan-administered Kashmir.” When states do act, Altman concludes that “faits accomplis are more likely to succeed at making a gain without provoking war when they take that gain without crossing use-of-force red lines.”
Finally, although the fait accompli may fail to achieve the desired outcome for several reasons — for example, the defender chooses not to relent and marshals superior forces to take back the gain made —it fails in execution for only one reason: The defender anticipates the unilateral action and sets the conditions of security in its favor. This is in stark contrast to the several ways coercive strategies can fail: lack of commitment, ambiguity of demands, or non-credible capability.
Policymakers and scholars developing cyber strategy should not uncritically adopt strategic concepts created to describe and explain state behavior in nuclear and conventional environments. For example, Richard Harknett and I adapted and caveated aspects of Herman Kahn’s concept of agreed battle, introduced in On Escalation: Metaphors and Scenarios, when creating the concept of agreed competition to describe tacitly bounded strategic interaction in the cyber competitive space short of armed conflict. The same tack is taken with the fait accompli.
The Fait Accompli in Cyberspace
The fait accompli in the cyber strategic environment is a limited unilateral gain at a target’s expense where that gain is retained when the target chooses to relent rather than escalate in retaliation. China’s cyber-enabled illicit acquisition of key personnel data from the U.S. Office of Personnel Management serves as an example. I eschew George’s “quick” adverb in this definition because, although gains can be realized quickly through cyber exploitation, gains are also realized through sustained exfiltration supported by on-network persistent presence. For example, Mandiant reported in 2013 that Chinese cyber operators engaged in illicit acquisition of intellectual property maintained access to targeted networks for an average of 356 days. I exclude Altman’s verb “imposes” because it harkens to a key phrase — cost imposition — that is tightly coupled with coercion theory.
“Unilateral” means that the defender does not participate in the activity, which is rooted in exploitation. Thus, the fait accompli is distinct in principle from coercion, which describes demands, signaling, and interaction. Moreover, making gains at the expense of an adversary is not the same as threatening to impose costs or actually doing so. Once a benefit or gain is realized, it may subsequently serve as a foothold for future coercive cyber strategic bargaining, depending on the target’s coercive political value; however, first and foremost, the fait accompli is about seeking unilateral gains through exploitation. It’s about seeing an opportunity and seizing it.
As in the terrestrial frame, states adopting the fait accompli have a strategic incentive to pursue their desired gain in, through, and from cyberspace in ways that do not invite escalatory retaliation. This is consistent with the empirical record to date of most behaviors in cyberspace between states not already engaged in militarized crises or armed conflict, including all of those listed above. Again, as in the terrestrial frame, the strategic logic behind the fait accompli in cyberspace hinges on finding vulnerabilities. However, unlike the terrestrial frame, those vulnerabilities do not lie in the ambiguity of a coercive demand, but rather in the very fabric of cyberspace itself. Cyberspace has been described as a vulnerable yet resilient technological system, organically offering an “abundance of opportunities to exploit user trust and design oversights.” These opportunities provide a strategic incentive for states to pursue unilateral gains in, through, and from cyberspace. This incentive is further enhanced because, while the fait accompli in physical space returns a marginal gain — often a small piece of territory — cyberspace enables campaigns of faits accomplis capable of generating strategic gains. That the source of vulnerability is not an ambiguous coercive demand has another important implication — it eliminates Altman’s rationale for coupling the fait accompli with coercive bargaining in cyberspace.
There is a second way in which the fait accompli in cyberspace diverges from that in the conventional strategic environment. Alexander George describes the fait accompli as a strategic bargaining concept states use to change the status quo in the international system. The fait accompli describes strategic bargaining behavior in cyberspace only when states are seeking to alter the status quo within cyberspace by changing the conditions of security in their favor. This strategic interaction would be representative of tacit bargaining. That said, in the cyber competitive space most adversary cyber faits accomplis do not seek to change the status quo in cyberspace itself. Rather they often seek to accumulate strategic gains in, through, and from cyberspace to maintain or change the status quo in the international system — consider North Korea’s cyber-enabled theft from financial institutions and cryptocurrency exchanges, and its use of the stolen funds to develop intercontinental ballistic missiles. Thus, the fait accompli more often describes a strategic choice in the cyber competitive space than it describes strategic bargaining. To paraphrase Richard Harknett, all strategic bargaining is competition but not all strategic competition is bargaining.
The fait accompli, then, while imperfect, is a more appropriate strategic concept than coercion (and its associated concepts) for describing and explaining states’ cyber behaviors short of armed conflict. It accounts for both unilateral operations seeking gains from often significantly disparate targets and mutual efforts to routinely avoid operations that could justify armed retaliation. Former U.S. Secretary of Defense Leon Panetta’s concerns regarding a cyber Pearl Harbor (a fait accompli) were met with both skepticism and support. By referencing the fait accompli, Panetta highlighted an important strategic concept upon which policymakers should be focused in cyberspace. However, Panetta fixed only on the fait accompli as a strategic bargaining concept in the cyber strategic space of militarized crises and armed conflict. He failed to recognize the fait accompli as an adversary’s preferred and highly consequential strategic choice in the cyber strategic competitive space short of armed conflict.
The Fait Accompli, Cyber Persistence Theory, and Persistent Engagement
Cyber persistence theory argues that since the potential for exploitation is ever-present in cyberspace (i.e., the incentives for a fait accompli always exist), and states are in constant contact due to interconnectedness, states must assume their sources of national power are vulnerable. From a national security perspective, states must be concerned that core economic, political, social, and military capability and capacity could be undermined. Thus, a state’s only logical choice to ensure its security is to anticipate and proactively mitigate the exploitation of its vulnerabilities. The structural imperative thus becomes persistence in seizing the initiative to set the conditions of security by exploiting adversary vulnerabilities and reducing the potential for exploitation of its own.
States acting on this strategic imperative in cyberspace are, in fact, securing national interests in and through cyberspace from other states’ cyber faits accomplis. The strategic principle of seizing the initiative is the essence of persistent engagement. Understanding states’ cyber behaviors as faits accomplis bolsters the argument for adopting a cyberspace strategy of persistent engagement, which anticipates the unilateral actions of aggressors and sets the conditions of security in the defender’s favor.
The fait accompli in the conventional strategic environment (the terrestrial frame) is described as a form of “partial deterrence failure.” Thus, policy recommendations for eliminating it as a viable adversary strategic bargaining choice are derived from coercion theory. Altman, for example, argues that precise, complete, and verifiable red lines would discourage adversaries from adopting the fait accompli strategic bargaining option. If one were to embrace whole cloth the conventional environment’s description of the fait accompli for the cyber competitive space, policy recommendations would look the same: Make it clear where the red lines are in cyberspace. The 2018 National Cyber Strategy of the United States promotes this approach to cyber security, arguing that “increased public affirmation [of security enhancing standards] by the United States and other governments will lead to accepted expectations of state behavior” and strengthen the ability to deter. There are other recent promotions of the same, calling for a stronger signaling strategy and declaratory policy. Unfortunately, this misconstrues how the fait accompli concept actually applies to the competitive space, where the incentive for the strategic choice derives not from the absence of a declaratory policy or ambiguous red lines, but from the vulnerabilities inherent in cyberspace itself. When taking this perspective, the misalignment between a coercion-centric strategy and the strategic realities of the cyber competitive space becomes obvious.
Consider vulnerability CVE-2017-0144 (more commonly known as EternalBlue) in the Common Vulnerabilities and Exposures catalog (a list of publicly known cybersecurity vulnerabilities), which is well known for prompting a more public disclosure of the United States’ Vulnerabilities Equities Policy and Process. Within two months of CVE-2017-0144’s public appearance (April 2017), an exploit of the vulnerability manifested as WannaCry ransomware. It then manifested one month later as NotPetya, a purely destructive attack disguised as ransomware; a couple of months later as Retefe, a banking Trojan that routes traffic to and from the targeted banks through various proxy servers often hosted on the TOR network; and again in October 2017 as WannaMine, a cryptocurrency miner. Assuming all of these behaviors are considered unacceptable, this set of very different CVE-2017-0144 exploits demonstrates the challenges that a security approach based on declaratory policy and red lines would struggle to overcome.
The range of gains for which CVE-2017-0144 was exploited illustrates how imaginative and clever adversaries seeking gains can be — exploitations that the United States most often learns of after the gain has already been realized. A coercion-centric strategy suggests two potential policy responses to this strategic reality. The first is to establish red lines and declaratory policy informed by faits accomplis. That is, review adversary behaviors after damage has been done and announce that those behaviors are viewed as unacceptable and will be met with, for example, a U.S. response at the time and place of its choosing. This response should look familiar, as it is somewhat representative of current national policy. If continued it would likely portend U.S. strategic decline, as it is akin to putting on a bandage after one has already bled out. The second response is to try to anticipate the novel gains states may seek and establish ex ante red lines as a deterrent hedge.
Cyberspace’s brief history does not suggest that the United States, or any other state, possesses such foresight — recall that CVE-2017-0144 was exploited for four different gains. Further, it is reasonable to expect that the same vulnerability will be exploited again. Emergent vulnerabilities compound this concern with another: a need for agility. The U.S government lacks the agility to quickly forecast for what gains states might exploit an emergent vulnerability, and transition that knowledge swiftly into declaratory policy and red lines before that vulnerability is widely exploited — consider that CVE-2017-0144’s four different exploits manifested within seven months of its revelation. Given these implementation challenges, declaratory policy and stronger signaling should not be a central focus of national cyber strategy.
Removing the fait accompli as a viable strategic choice for adversaries instead requires policies and activities that support deliberately considered, continuous, proactive and assertive cyber campaigns, operations and activities. Recent policy supporting this orientation includes, for example, National Security Presidential Memorandum 13 on cyber operations; new or clarified authorities for cyber operations associated with the 2019 National Defense Authorization Act; the 2018 Department of Defense Cyber Strategy, and the Department of Defense general counsel’s framework for evaluating the legal sufficiency of proposed military cyber operations. An example activity is U.S. Cyber Command’s ongoing efforts to inoculate vulnerable systems from potential adversary exploitation by posting adversary malware discovered through persistent operations to the VirusTotal website. This effort is complemented by persistent operations seeking out vulnerabilities themselves. Focusing on cyberspace’s inherent vulnerabilities to obviate the fait accompli strategic choice requires no foresight regarding an adversary’s purpose for exploiting vulnerabilities; rather, it only requires efforts to discover vulnerabilities and assess their potential for exploitation. Mitigation, if warranted, or exploitation, if preferred, can be pursued in a number of ways by various actors to preclude adversary faits accomplis.
As an example of mitigation, consider the National Security Agency’s recent sharing of the discovery of a critical Windows 10 vulnerability with Microsoft. When sharing its discovery, the agency assessed that it “makes trust vulnerable” and “places Windows endpoints at risk to a broad range of exploitation vectors.” Microsoft then released a Jan. 14, 2020, patch that effectively made faits accomplis non-viable for adversaries that might have targeted the vulnerability had it become widely known. An example of exploitation to increase security is reportedly found in U.S. Cyber Command’s initiative to exploit vulnerabilities in the cyber infrastructure of the Internet Research Agency in Russia to defend the 2018 U.S. midterm elections. These examples confirm that the United States is already acting to anticipate and address vulnerabilities through which states could execute faits accomplis. There is opportunity for improvement, however.
I recently asserted that persistent engagement’s strategic principle should be the basis of a national cyber strategy and highlighted exemplars of ongoing efforts to seize the initiative and stem the tide of strategic effects from China’s cyber-enabled illicit efforts to acquire intellectual property in, through, and from cyberspace. All of these efforts are important, but some, including the Department of Justice’s China Initiative, are reactions to gains already realized by adversaries and thus indicative of the United States contesting the outcomes of, rather than precluding, cyber faits accomplis. Many of the recommendations in the Cyberspace Solarium Commission Report are similarly reactive instead of proactive, which signifies that the United States is playing catch-up. That is not to say they are not valuable — when you are behind, you must make up ground. As Congress considers legislative proposals informed by the Cyberspace Solarium Commission’s recommendations, however, it should prioritize policies that will better enable the United States to continuously anticipate and act, creating a national capability for obviating the fait accompli as a viable strategic choice for adversaries. This capability is necessary if the United States is to get and stay ahead of its adversaries in a cyberspace environment where technology, terrain, targets (and their political value), capabilities, and intentions are ever-changing. From this perspective, two Cyberspace Solarium Commission recommendations stand out as candidates for fast-tracking through the legislative process: “Create or designate critical technology security centers,” and “commit significant and consistent funding toward research and development in emerging technologies.” These efforts would help the United States to see vulnerabilities around the corner, stay ahead of its cyberspace adversaries, and consequently make the fait accompli in cyberspace a less viable strategic choice.
Dr. Michael Fischerkeller is a research staff member of the Information Technology and Systems Division at the Institute for Defense Analyses.
Image: Steve Kotecki