Taking the Gloves Off

Next Article

Automated Alternative

Strategic Vision vol. 7, no. 39 (August, 2018)

Taipei has opportunity to leverage more assertive US posture on cyber defense

John Phillips

The deluge of commentary about American strategy in the era of President Donald Trump continues to mislead, confuse, and distort. The only consistent White House policy is economic and diplomatic arson, and parsing the rationality of arson is an oxymoron. Despite this, there are other ways to discern America’s international strategic outlook. After all, the most important American policymaking body is the US Congress, and its role in foreign policy is clearly stated in the Constitution of the United States (despite the ongoing failure to exercise its duty to take a position on matters of war). Therefore, where reading the mind of the White House is next to impossible, Congress is a suitable and more desirable alternative. Partners to the United States, especially those that depend on American extended deterrence, should look to Congress for guidance.

One of the most striking changes to American national defense policy since 2016 is found in the recent National Defense Authorization Act (NDAA), which included significant changes to American use of cyber operations. Congress has authorized a forwardleaning cyber security posture that frees US Cyber Command (USCYBERCOM) to engage in offensive, continuous operations. While the tactical use of cyber operations has not dramatically changed, the strategic implication has, especially for Taiwan.

In particular, section 1642 of the NDAA authorizes USCYBERCOM to engage in direct, offensive military operations against Russia, Iran, North Korea, and the People’s Republic of China (PRC). The authorization by Congress of offensive cyber operations (euphemistically called “active defense”) is no trifle.

Under the Obama administration’s Presidential Policy Directive-20 (PPD-20), authority to launch cyber attacks required significant interagency support. Operational value was weighed against the needs of diplomatic offsetting, alternative courses of action and, notably, legal considerations. In so doing, cyber operations were slow to begin and, as such, slow to take effect. The wait was so long that it often caused the United States to forfeit the tactical advantage afforded by momentum and catching adversaries off balance.

By preemptively authorizing cyber operations in a manner similar to the Authorization for Use of Military Force (the difference being that the War Powers Resolution was not invoked), Congress has delegated legal authority to the executive branch to act and, with it, strategic flexibility. In other words, in the case of these four countries, legal constraints for offensive cyber operations are nil. With that one major hurdle removed, cyber operations can be authorized and pursued more or less at the whim of the decision-making authority.

Eliminating hassle

Using this new authority, the Department of Defense (DOD) released a summary strategy for cyberspace which eliminated the hassle of interagency authorization and review established by PPD-20. The strategy includes several important statements, notably that the DOD “must take action in cyberspace during day-to-day competition” and that the DOD will “conduct cyberspace operations to collect intelligence and prepare military cyber capabilities” for potential crisis or conflict. It goes on to state that the DOD intends to “strengthen the security and resilience” of networks and systems and, also, “collaborate with our interagency, industry, and international partners.”

The implications for Taiwan are significant. PRC war planning for an aggression against Taiwan generally follows a few similar themes. In each, the most critical element of a PRC attack would be the rapid destruction of Taiwan’s ability to self-govern. Whether launching a blockade, a limited coercive attack, or a full-scale invasion, the PRC would attack communications infrastructure, government buildings and officials, Internet connectivity, electricity, and other basic services. The rationale is that the absence of an information infrastructure would inhibit Taiwan’s ability to mobilize its military reserve, and a lack of effective governance would foment societal panic. The chaos of a shock-and-awe campaign would lead the people to become docile and more or less accept salvation by the PRC. Docility precedes surrender, or so this line of thinking goes.

In line with this thinking, the PRC has centralized authority of its information related capabilities within the Strategic Support Forces (SSF). While PRC hacking and cyber-espionage are well-known phenomena, the SSF is a military force that exists to achieve military objectives. We can see in the SSF a foreshadowing of PRC objectives to incorporate offensive cyber capability in an attack to disable critical information infrastructure that would otherwise enable Taiwan to inform its civilians, mobilize its military, and defend its territory from PRC invasion.

Therein lies the challenge—and opportunity—for Taiwan, which is no stranger to PRC cyber intrusion and political warfare. Taipei has begun taking the necessary steps to improve its ability to withstand cyber attack. Indeed, Taiwan’s cyber development strategy is a remarkably clear-eyed assessment of its deficiencies and vulnerabilities. The solutions proposed by the strategy are comprehensive, and include human capital development to critical information infrastructure protection in partnership with industry and academia. Those recommendations have largely been translated into official policy by the May 2018 initial passage of the Cybersecurity Management Act (CMA) by the Legislative Yuan. That act is currently pending implementation.

The CMA misses a significant opportunity to contribute to Taiwan’s broader strategic security and deterrence against the PRC, however. Joint training and exercises in cyberspace are a low-cost, low-visibility opportunity for Taiwan to partner with the United States to increase its force readiness, identify critical shortfalls, and enhance its resilience against a potential large-scale cyber attack.

This matters. Cyber operations, both defensive and offensive, have the possibility of radically transforming Taiwan’s security posture. As another assessment has shown, Taiwan is capable of defending itself from the PRC, but that assessment largely failed to take into account the potentially revolutionary implications of cyber operations. In a PRC invasion scenario, cyber operations could completely debilitate Taiwan’s command-and-control nodes, thereby eliminating Taiwan’s self-defense capability.

Conversely, the beauty of cyber operations is that it is almost impossible to determine who has what capabilities. This is partly what makes the idea of international regulation of cyber weaponry so difficult and, indeed, unlikely. As such, if the PRC were to launch an attack on Taiwan, it risks its operational success on two very dangerous gambles: First, the PRC is betting that the United States would remain entirely on the sidelines, including in cyberspace. Second, the PRC assumes that it can withstand US offensive cyber capability and continue to wage a complex, multidomain armed conflict against Taiwan. If these two gambles seem far-fetched, that would be because they are.

Taiwan policymakers should recognize this convergence between their national security and American strategy, and capitalize on it. Taiwan has already taken the vital step of pursuing critical information infrastructure protection, thereby increasing its ability to withstand a PRC cyber assault. It should now pursue stronger cooperation with the United States to pursue interoperability in cyberspace. In so doing, Taiwan would be strengthening its status beneath the American deterrence umbrella, improving its ability to withstand PRC invasion, and hopefully gaining an ally in cyberspace that can disrupt a PRC attack while still in its critical stages.

John Phillips is an independent consultant and Luce Scholar based at the Taiwan Center for Security Studies.in Taipei. He can be reached for comment at john.t.phillips2@gmail.com