Intelligence and National Security

ISSN: 0268-4527 (Print) 1743-9019 (Online) Journal homepage: https://www.tandfonline.com/loi/fint20

U.S. cyber strategy of persistent engagement &

defend forward: implications for the alliance and
intelligence collection

Max Smeets

To cite this article: Max Smeets (2020): U.S. cyber strategy of persistent engagement & defend
forward: implications for the alliance and intelligence collection, Intelligence and National Security,
DOI: 10.1080/02684527.2020.1729316

To link to this article: https://doi.org/10.1080/02684527.2020.1729316

Published online: 15 Feb 2020.

Submit your article to this journal

View related articles

View Crossmark data

Full Terms & Conditions of access and use can be found at

https://www.tandfonline.com/action/journalInformation?journalCode=fint20
INTELLIGENCE AND NATIONAL SECURITY
https://doi.org/10.1080/02684527.2020.1729316

PERSPECTIVES ON INTELLIGENCE

U.S. cyber strategy of persistent engagement & defend forward:

implications for the alliance and intelligence collection
Max Smeets

ABSTRACT
This article evaluates the implications of U.S. cyber strategy of persistent
engagement for the alliance and intelligence collection. Whilst the strategy
may have benefits for certain alliance relationships, I identify four potential
negative consequences; loss of allied trust, disruption allied intelligence
operations and capabilities, exploitability of the strategy by adversaries, and
the implementation (and justification) of persistent engagement by other
countries. This paper concludes suggesting several ways forward, including
the creation of a new NATO-memorandum of understanding on cyber
operations.

The 2018 U.S. Cyber Command vision and the Department of Defense Cyber Strategy embody
a fundamental reorientation in strategic thinking.1 Based on the recognition that adversarial beha-
vior below the threshold of armed attack could nevertheless be strategically meaningful, U.S. Cyber
Command seeks to achieve ‘superiority through persistence’, that is constantly engaging with the
adversary – wherever they maneuver.2
Much has already been written about the implications of U.S. doctrinal change. The strategic shift
has, in particular, led to numerous critical remarks about the risks of escalation between the U.S. and
its main adversaries in cyberspace.3 Early on, Healey voiced concern that the change in strategy
would trigger the ‘new forever war in cyberspace’.4 In a more recent article, Healey analyzes the
implied causal chain of ‘persistent-engagement stability theory,’ and addresses how certain feedback
loops could potentially amplify or dampen cyber conflict.5 Others have argued that persistent
engagement deepens the cyber security dilemma – especially between the U.S. and China.6
The degree to which persistent engagement can help with the establishment of cyber norms has
opened a second line of debate. According to some proponents, persistent engagement is a form of
norms setting through practice, leading to a ‘comprehensive strategic great power competitive
space with its own distinct structural features.’7 Others are less positive that the strategy can create
a new normative area of competition – especially if it is not combined with other elements of
competitions in the economic, diplomatic, informational and military spheres.8
In addition, the shift in U.S. strategy together with a set of notable legal changes – particularly to the
authorisation and oversight architecture – has led scholars and practitioners to write more prolifically
about U.S. legal underpinnings of out-of-network operations.9 As a workshop report on military cyber
operations clarifies, three changes are most prominent: ‘Firstly, the changes confirmed that the [DoD] has
authority to operate in the cyber domain outside of the context of defending its own networks. Secondly,
they clarified when the executive can decide on the undertaking of operations outside US territory
without Congressional authorisation. [. . .] Thirdly, Congress explicitly articulated that the activity con-
ducted by U.S. Cyber Command does not constitute “covert action” as defined by US domestic law.’10

CONTACT Max Smeets MSmeets@ethz.ch

© 2020 Informa UK Limited, trading as Taylor & Francis Group
2 M. SMEETS

Overall, scholars have concluded that U.S. Cyber Command can now operate more swiftly as it is no
longer required to undertake the interagency process as before.11
Less systematic attention, however, has been devoted to the strategy’s implications for the
alliance and intelligence collection. The purpose of this paper is to conduct a benefit-risk assessment
of the US strategy on this issue.12 The assessment of this article takes place in five steps. The first
section notes that, historically, allied states operate in each other’s systems or networks in at least
two ways: as an observer, gathering intelligence on adversarial activity in others’ networks; and as
a passerby, transiting through allied systems and networks to access a certain adversarial target. It is
argued that, with the change in strategy, the U.S. now also seeks to be a disrupter, seeking to cause
friction for an adversary’s operation within an ally’s network or system. The second section addresses
the benefits of this activity and efforts of the U.S. to more closely collaborate with allies in this space.
It suggests US strategy of persistent engagement and defend forward can promote a stronger
defense as a whole – and for states with limited cyber capability in particular.13 The third section
subsequently discusses the four avenues of how the strategy could lead to negative implications for
the alliance: i) loss of trust due to offensive cyber effects operations in allied systems or networks; ii)
compromise of allied intelligence operations and capabilities; iii) exploitability of the strategy by
adversaries; and iv) the implementation (and justification) of persistent engagement by other
countries. The final section concludes and provides a potential proposal to move forward.

Out of network operations in allied systems or networks

The purpose of this section is to review the nature of U.S. Cyber Command’s out of network
operations. The first part talks about the understanding of territoriality and cyber operations.
The second part discusses three types of out of network operations in allied networks.
Following its change in strategy, U.S. Cyber Command seeks to operate ‘seamlessly, globally and
continuously.’14 In the U.S. Cyber Command vision it is stated that ‘[s]uperiority through persistence
seizes and maintains the initiative in cyberspace by continuously engaging and contesting adversaries
and causing them uncertainty wherever they maneuver.’15 In an article for Joint Force Quarterly, NSA
Director and Cyber Command head Gen. General Nakasone writes: ‘If we are only defending in “blue
space,” we have failed. We must instead maneuver seamlessly across the interconnected battlespace,
globally, as close as possible to adversaries and their operations, and continuously shape the battle-
space to create operational advantage for us while denying the same to our adversaries’16
‘As close as possible’ means that the US seeks to achieve effects i) outside of its own networks, and
ii) beyond adversaries networks. This vast area is not ungoverned space. We are talking here about
routers in Nairobi, servers in the Denmark, or operating infrastructure in other countries. As Seymour
Goodman put it ‘cyberspace always touches ground somewhere’.17
Yet, U.S Cyber Command’s use of terminology – as well as talk about ‘operating close to the
adversary’ – evades one issue: It is unclear whether Cyber Command only seeks to cause friction in
‘red space’ or if it seeks to compete in ‘gray space’ as well. These terms are often confused and not well-
understood. In fact, the issue was raised for ‘further exploration’ at Cyber Command’s 2018 symposium,
specifically understanding the ‘relevance of concepts like area of responsibility and red-blue-gray space
to the cyberspace domain.’18 Joint Publication 3–12 (JP 3–12) on cyberspace operations, prepared
under the direction of the chairman of the Joint Chiefs of Staff, explains the terminology:

The term “blue cyberspace” denotes areas in cyberspace protected by the US, its mission partners, and other
areas DOD may be ordered to protect. [. . .] The term “red cyberspace” refers to those portions of cyberspace
owned or controlled by an adversary or enemy. In this case, “controlled” means more than simply “having
a presence on,” since threats may have clandestine access to elements of global cyberspace where their
presence is undetected and without apparent impact to the operation of the system. Here, controlled means
the ability to direct the operations of a link or node of cyberspace, to the exclusion of others. All cyberspace that
does not meet the description of either “blue” or “red” is referred to as “gray” cyberspace.19
 INTELLIGENCE AND NATIONAL SECURITY 3

Gray space is defined based on the ‘nodes’ adversaries control. This means the vast area between
U.S. government-owned networks and adversaries is not considered to be gray space. Instead, if for
instance the GRU (Russia’s military intelligence agency) controls a node in the Netherlands, it is
considered to be red space based on JP 3–12.20 And it is worth mentioning that the notion of control
is open to interpretation by states.
This means that if U.S. Cyber Command seeks to operate only in ‘red space,’ its activities will still
have global reach. It also suggests that red space grows as adversaries expand their operational
activity. Most importantly, this implies that if U.S. Cyber Command seeks to achieve ‘effects’ in gray
space, this will involve operating infrastructure that adversaries do not control – which is to say those
systems or networks on which adversaries merely have a presence or are not active at all.
What is really new here? The United States has long operated in networks ‘close to the adversary.’
As Ben Buchanan’s book, ‘The Cybersecurity Dilemma,’ demonstrates, the U.S. has long acted as an
observer outside of its own networks, gathering intelligence of adversarial activity in those others’
networks.21 In fact, information has become public concerning a case in which the Five Eyes
collected intelligence about an espionage platform (dubbed ‘Snowglobe’ by the Canadian
Intelligence Agency CSEC and ‘Animal Farm’ by Kaspersky Lab) of an allied country, France, likely
operating in adversarial networks in the Middle East.22 In other words, the practice of fourth-party
collection is nothing new.23 Furthermore, the U.S. has long acted in foreign non-adversarial networks
as a passerby, transiting through allied’ networks to access an adversarial network.
Yet, the new Cyber Command and Defense Department strategy changes the nature of the
U.S. military’s behavior within those systems and networks. Under the new strategy, Cyber Command
wants to be an active disrupter on those networks. It wants to achieve effects – that is to disrupt,
deny, degrade, and/or destroy. The only known precedent is U.S. Cyber Command operators wiping
Islamic State propaganda material off a server located in Germany.24 The German government was
notified in some fashion but not asked for advance consent, causing much frustration.25 This will
likely lead to a systematic scaling up: U.S. Cyber Command now also seeks to be an active disrupter
on those networks ‘globally, continuously and seamlessly’ – not regionally and sporadically.26
Out of network operations in allied networks also affect the turf war between the NSA and Cyber
Command – mostly critically Title 10 and Title 50 concerns.27 As Chesney summarizes:
From a legal perspective, the issue this [case of Germany] highlights is that operations abroad implicate the UN
Charter and related claims about international law protection of sovereignty. [. . .] Intelligence agencies can more
easily act in this setting when operating under Title 50 authority, as covert action status carries with it a statutory
obligation to comply with the U.S. Constitution and U.S. statutes – but no more than that. Title 10, in contrast,
carries with it no such implicit statutory shield against international law objections, and of course there is
a general Defense Department policy of international law compliance. Thus CYBERCOM operating under Title 10
would run into the full thicket of international law concerns.28

Overall, it is expected that operating in allied networks under Title 10 is likely to cause more legal
friction than operating under Title 50.

Benefits and the creation of partnerships

The strategy of persistent engagement and defend forward can help less capable cyber actors
defend themselves against adversaries. Both the U.S. Cyber Command vision and the DoD cyber
strategy stress the importance of working closely with international and private sector partners to
successfully operate in cyberspace.29 The DoD strategy states the following: ‘Our strategic approach
is based on mutually reinforcing lines of effort to build a more lethal force; compete and deter in
cyberspace; expand alliances and partnerships; reform the Department; and cultivate talent.’30 On
international partnerships, it more explicitly states: ‘Many of the United States’ allies and partners
possess advanced cyber capabilities that complement our own. The Department will work to
strengthen the capacity of these allies and partners and increase DoD’s ability to leverage its
partners’ unique skills, resources, capabilities, and perspectives. Information-sharing relationships
4 M. SMEETS

with allies and partners will increase the effectiveness of combined cyberspace operations and
enhance our collective cybersecurity posture.’31
The United States has also signed several memoranda of understanding and over the years
addressed cyber cooperation in some way, shape or form. In 2008, a MoU was signed between the
Department of Defense and the German Federal Ministry of Defence about computer network
defense and information assurance.32 A year later, a similar MoU on computer network defense
was signed with South-Korea.33
More recently, the Cyber Command worked alongside Montenegrin cyber defenders with as aim
‘to increase interoperability, build partner capability, and deter malign influence on the democratic
processes of our allies, partners and the U.S.’34 It was reported that U.S. Cyber Command personnel
operated in the networks of Ukraine and Macedonia as well to help those countries defend against
malicious cyber activity.35 At the 2019 Cyber Command symposium, specific examples were dis-
cussed on how cooperation can also help in not just detecting or deterring adversaries but also cause
friction in their operational activity.36 For example, the U.S. might upload foreign APT malware
samples on VirusTotal, an online malware repository and file scanning service, forcing adversaries to
go back to the drawing broad and adapt.37 One can think of several other scenarios how interna-
tional partnerships (also with the private sector) can help to ensure more coordinated take down of
adversarial operations – actions beneficial to both the US and its partners.

Risks for allies and intelligence collection

This section addresses four connected risks associated with US strategy. The first risk is perhaps the
most obvious: if U.S. Cyber Command directly operates in allied networks without consent, it creates
friction by allies undermining trust. Operating instantly makes sense considering the potential
operational tempo of adversaries: You cannot have protracted diplomatic discussions for two
months with an ally about whether or not to take down some command and control infrastructure
of an adversary hosted in the allied country. You don’t have days, let alone months. As a participant
mentioned at the 2019 Cyber Command Symposium on strategy: ‘Opportunities within this domain
are fleeting.’38
Operating seamlessly could also make sense if an ally does not mind the U.S. coming into its
networks to address the malicious activity. In this vein, the U.S. can continue to build partnerships
with countries that do not have the capacity to defend against cyber attacks on their own, as
described above. But, what if an allied country is not keen on having the U.S. military in its networks,
actively, seamlessly, and continuously disrupting an adversary’s cyber operations? As the German
case shows, this scenario will likely come up a lot more in the near future.
Second, it is not just about cyber effect operations taking place in systems or networks in allied
territory. There could also be a negative impact on allied intelligence operations and capabilities
beyond these systems and networks. The U.S Cyber Command – and other military cyber organiza-
tions – are operating in a global environment historically dominated by intelligence agencies, and
the Five Eyes has always been the most dominant actor in cyberspace.39 But the Anglophone
intelligence alliance is not the only intelligence actor operating across the world. Recent cases –
such as the infiltration of the Dutch General Intelligence and Security Service into the Russia-based
network of the infamous hacking group Cozy Bear – have illustrated the continued global prevalence
and value of allies’ intelligence operations beyond the Five Eyes alliance.40 If U.S. Cyber Command
increasingly take up the role of ‘disrupter’ it may negatively impact global intelligence collection of
allies – particularly those countries that favor long-term access over immediate effect. It will also
more likely uncover and burn allied capabilities.
The risks of occurring are higher than one may think as intelligence agencies have a tendency
and incentive to target and track the same entities. For example, in late 2014, cybersecurity
company Kaspersky Lab reported on the so-called ‘Magnet of Threats’. The cybersecurity company
discovered a server belonging to a research organization in the Middle East that simultaneously
 INTELLIGENCE AND NATIONAL SECURITY 5

hosted implants for at least five Advanced Persistent Threat (APT) actors: Regin and the Equation
Group, Turla and ItaDuke, Animal Farm, and Careto.41 All of these APTs have been associated with
prominent national security and intelligence agencies. Equation group and Regin are connected to
the Five-Eyes. As said, Animal Farm has been attributed to France’s external intelligence agency.
Turla Group has been associated with the Russian federal security service (FSB). ItaDuke is said to
be linked to the Russian government too. Finally, it is theorized that Spain is behind Careto, also
known as ‘The Mask’.
Consider what would have happened if one of those five APT groups had sought to cause
a disruptive effect – rather than collect intelligence – against the target in the Middle East. It likely
would have resulted in much earlier discovery and analysis by threat intelligence companies (or
other actors) exposing the tactics, techniques and procedures (TTPs) of each actor group.
Also, even the anticipation of more cyber effect operations in non-allied networks from one allied
state could lead to a change in operations by another state. Indeed, states have shown in the past
that the anticipation of early discovery of an operation has led to a change in their TTPs. For example,
the National Security Agency (NSA) created an ‘exploit orchestrator’ called FoxAcid, an internet-
enabled system capable of attacking target computers in a variety of different ways, depending on
whether it is discovered – or likely to be discovered – in a given network.42 FoxAcid has a modular
design, with flexibility allowing the NSA to swap and replace exploits and run different exploits
based on various considerations. Against technically sophisticated targets where the chance of
detection is high, FoxAcid would normally choose to run low-value exploits.
Third, allied friction could potentially be exploited by adversaries. Adversaries do not randomly
choose which intermediate nodes to direct their operations through. If Russia has the choice to go
through a network that would raise some serious diplomatic friction between the U.S. and a U.S. ally,
or operate through a network that would cause no diplomatic friction for the U.S., what would it
prefer?
It would make sense for adversaries to operate through the networks of exactly those countries
with which the U.S. has a strong relationship but that do not want the U.S. to operate within their
networks causing any effects. Russia is already good at exploiting divisions between the U.S. and its
allies. Cyber Command’s new strategy might give it another avenue to do so.
Fourth, whilst allies can integrate their cyber efforts into U.S. strategy of persistent engagement, if
allies would adopt their own strategy of persistent engagement – mirroring U.S. current doctrine and
practice – it would likely further undermine the alliance relationships. If US strategy of persistent
engagement leads allies to adopt their own strategy of persistent engagement, it would mean allies
also seek ‘superiority in cyberspace’; ‘continuously engaging and contesting adversaries and causing
them uncertainty wherever they maneuver’; and operating ‘seamlessly, globally and continuously’ –
as stated in the Cyber Command vision. More specifically, it would mean that allies seek to swiftly
achieve effects in systems and networks that are potentially located on U.S. territory, without
necessarily notifying the U.S. government before. In other words, it means that networks and
systems turn into red space and gray space for allies – like allied networks are now gray and red
space for the U.S. to actively disrupt and degrade adversarial operations.
It is unlikely that the U.S. government would react positively if Germany, or any other allied
country for that matter, hacks into a server hosting Russian propaganda that was located in the
United States, with some form of notification but without Pentagon’s consent.43 There are numerous
reasons why the US government would be upset with this type of behavior. It would likely be seen as
reckless from Germany – especially if the US was already on those same networks for intelligence
collection purposes.
An important dimension of this scenario is derived from the fact that the U.S. is a vast target rich
environment, potentially even prioritized as a target by adversaries such as China, Russia, North
Korea, Iran – as well as non-state actors. As stated above, red space and gray space are defined,
according to U.S. Joint Publication 3–12 on Cyberspace Operations, based on what ‘nodes’ adver-
saries ‘control’. There are many nodes adversaries (of US allies) want to control in the US. In other
6 M. SMEETS

words, if US allies would seek to swiftly disrupt and degrade cyber operations in red space and gray
space on a constant-basis, much of that would be in the United States.
Last year the NATO alliance reached a landmark that went largely unnoticed: there are now more
NATO member states that have publicly declared they are seeking to establish an institutional
capacity within the military forces to conduct cyber effects operations than there are member states
that have remained publicly silent on this issue.44 Yet, most NATO members are still at the early
stages of organizational development – and pour relatively few resources into their military cyber
organizations to conduct cyber effects operations.45 Their operational capacity is limited. France and
Germany stand out for the extent of resources officially allocated to their military cyber organizations
(beyond the Five-Eyes) – but public statements about these figures are generally hard to interpret
and compare given distinct institutional design across military cyber organizations of states.46 This
risk is therefore less significant for the short term, but is likely to grow in the medium to long term.

Conclusion and discussion

The purpose of this paper was to provide a benefit-risk assessment of US strategy for its allies and
intelligence collection. Whilst the U.S. government’s mission to persistently engage with adversaries
may have benefits for allied states, the paper identified several avenues how the strategy leads to
negative implications for the alliance. To conclude, it is therefore worth considering how these risks
can be mitigated.
First, the principles of persistent engagement and defend forward are often jointly discussed.
How the two principles relate to each other, however, remains unclear. According to some, persistent
engagement is an ‘operationalization’ of the defend forward concept. Others believe there is
a difference between the two concepts. If the latter is the case, it is important to assess to what
degree a strategy of persistent engagement necessitates ‘defending forward’ and contesting adver-
saries wherever they are. In other words, the question is whether sufficient friction can be created
without causing disruption in allied networks. Second, terminology about terrain in cyberspace is
frequently confused by policymakers and experts. The U.S. government needs to (re)assess how its
terminology of terrain in the physical domains applies to cyberspace.
Last, NATO allies should consider establishing memoranda of understanding on offensive cyber
effects operations in systems or networks based in allied territory.47 The goal of the proposed
memorandum would be to reduce discord among the allies; enhance trust, transparency and
confidence between allies; and improve the effectiveness of disrupting and deterring adversaries’
operations in cyberspace. The scope of the memorandum would include: i) developing a common
notification equity framework for out-of-networks operations which seek to achieve cyber effects in
allied systems or networks; ii) identifying procedures for communicating the consideration and
conduct of offensive cyber effects operations between states against systems or networks in allied
territory; and iii) identifying technical solutions and administrative documentation required for the
continuous exchange of information on offensive cyber operations. In writing the memorandum,
states first and foremost should agree on the equities involved in permitting signatories to conduct
cyber effect operations in each other’s networks – and the relative weight of those equities. Equities
that should be considered include: i) the ability of an actor to take action to negate known threats on
or to the other parties’ networks and systems; ii) the likelihood that an action will negate known
threats; iii) the imminence and scale of the threat; iv) the risk of collateral damage; v) whether the
computer system or network is government-owned or privately owned; and vi) the certainty that the
system or network will be used to achieve strategic effects by the adversary.48 Finally, though the
memorandum of understanding may help in promoting stability and enhancing confidence
amongst allies, it is not a silver bullet. It can only reduce allied concerns rather than mitigate
them. Military cyber organizations may still conduct effect-based operations in allied territory with-
out consent, leading allies to assert that their sovereignty has been violated.
 INTELLIGENCE AND NATIONAL SECURITY 7

Furthermore, there is another crucial player involved. As Gen. Nakasone noted in the Joint Force
Quarterly article, cyberspace is owned largely by the private sector. They deserve a seat at the table as
well.49

Notes
1. US Cyber Command, “Achieve and Maintain Cyberspace Superiority”; and Department of Defense, “Cyber
Strategy 2019.”
2. Ibid.
3. Note, however, that the strategy itself is silent on this issue as Smeets and Lin note. Also, as Jacquelyn Schneider
notes, “It is almost impossible to prove assumptions about escalation. So much of escalation is based on
perceptions [.] that it is both impossible to say that an action will never lead to escalation or that it will always
lead to escalation.” Smeets and Lin, “4 A Strategic Assessment of the U.S. Cyber Command Vision”; and
Schneider, “Persistent Engagement.”
4. Healey, “Triggering the New Forever War, in Cyberspace”; and Healey, “The Implications of persistent (and
permanent) engagement in cyberspace.”
5. The paper also provides an excellent historical analysis of the intellectual and policy origins of the new strategy.
Healey, “The implications of persistent (and permanent) engagement in cyberspace.”
6. Buchanan and Williams, “A Deepening U.S.-China Cybersecurity Dilemma”; Chesney, “An American Perspective
on a Chinese Perspective on the Defense Department’s Cyber Strategy and ‘Defending Forward’”; Jinghua, “A
Chinese Perspective on the Pentagon’s Cyber Strategy”; and Jinghua, “What Really Matters in ‘Defending
Forward’?”
7. Fischerkeller and Harknett, “A Response on Persistent Engagement and Agreed Competition”; and Fischerkeller
and Harknett, “Persistent Engagement and Tacit Bargaining.”
8. Miller and Pollard, “Persistent Engagement, Agreed Competition and Deterrence in Cyberspace”; and Smeets,
“There Are Too Many Red Lines in Cyberspace.”
9. For early reporting on this see: Pomerleau, “New Authorities Mean Lots of New Missions at Cyber Command”;
and Borghard and Lonergan, “What Do the Trump Administration’s Changes to PPD-20 Mean for U.S. Offensive
Cyber Operations?”
10. Kaminska, Chesney, and Smeets, “A Transatlantic Dialogue on Military Cyber Operations,” For an excellent, more
in-depth overview see: Chesney, “CYBERCOM’s Out-of-Network Operations”; and Chesney, “The 2018 DOD Cyber
Strategy.”
11. On how interagency processes impacted the effectiveness and efficacy of cyber operations in the past see:
McGhee, “Liberating Cyber Offense.”
12. This means that this paper does not seek to provide a general review of persistent engagement and its
connected institutional development. For works attempting to conduct this type of exercise see: Smeets and
Lin, “Chapter 4: A Strategic Assessment of the U.S. Cyber Command Vision”; and Healey, “The implications of
persistent (and permanent) engagement in cyberspace.”
13. The meaning of cyber ‘capability’ or ‘power’ remains contested. For a discussion see: Betz and Stevens,
“Cyberspace and the State: Towards a Strategy for Cyber-Power”; and Hathaway, “Cyber Readiness Index 1.0.”
14. US Cyber Command, “Achieve and Maintain Cyberspace Superiority.”
15. Ibid.
16. Nakasone, “A Cyber Force for Persistent Operations.”
17. Goodman, Kirk, and Kirk, “Cyberspace as a medium for terrorists.”
18. USCYBERCOM, “2018 Cyberspace Strategy Symposium Proceedings.”
19. Joint Publication 3–12, “Cyberspace Operations.”
20. Ibid.
21. Buchanan, “The Cybersecurity Dilemma.”
22. GReAT, “Animals in the APT Farm.”
23. Guerrero-Saade and Raiu, “Walking in your Enemy’s Shadow.”
24. Nakashima, “U.S. military cyber operation to attack ISIS last year sparked heated debate over alerting allies”; and
Bing, “Command and control.”
25. Chesney, “Title 10 and Title 50 Issues When Computer Network Operations Impact Third Countries.”
26. See note 14 above.
27. Bing, “Command and control: A fight for the future of government hacking.”
28. Chesney, “Title 10 and Title 50 Issues When Computer Network Operations Impact Third Countries.”
29. See note 14 above.
30. Department of Defense, “Cyber Strategy 2019: Summary.”
31. Ibid.
8 M. SMEETS

32. Whilst the U.S. Cyber Command’s reported action may have violated Germany’s sovereignty, it didn’t explicitly
violate the MoU. But it wasn’t an act of CND; it was, but an act of a computer network attack (CNA), seeking to
disrupt, deny, degrade or destroy.; Unknown, “Memorandum of Understanding Between the Department of
Defense of the United States of America and The Federal Ministry of Defense of the Federal Republic of Germany
concerning cooperation on Information Assurance (IA) and Computer Network Defense (CND).”
33. “Memorandum of Understanding Between the Department of Defense of the United States of America and The
Ministry of National Defense of the Republic of Korea concerning cooperation on Information Assurance (IA) and
Computer Network Defense (CND),” (2 June 2009) https://assets.documentcloud.org/documents/2997984/
Document-04.pdf.
34. DoD News, “U.S., Montenegro Conduct Groundbreaking Cyber Defense Cooperation.”
35. Nakashima, “At nations’ request, U.S. Cyber Command probes foreign networks to hunt election security
threats”; and Barnes, “U.S. Cyber Command Bolsters Allied Defenses to Impose Cost on Moscow.”
36. U.S. Cyber Command, “The 2019 Cyberspace Strategy Symposium.”
37. Cimpanu, “US Cyber Command starts uploading foreign APT malware to VirusTotal.”
38. See note 36 above.
39. Smeets, “NATO Members’ Organizational Path Towards Conducting Offensive Cyber Operations.”
40. Modderkolk, “Dutch agencies provide crucial intel about Russia’s interference in US-elections.”
41. Kaspersky, “Spy Wars: How nation-state backed threat actors steal from and copy each other”; and Guerrero-Saade
and Costin Raiu, “Walking in your enemy’s shadow: when fourth-party collection becomes attribution hell.”
42. See the detailed discussion on exploit orchestrator FoxAcid: Schneier, “How the NSA Attacks Tor/Firefox Users
With QUANTUM and FOXACID”; and Smeets, “A matter of time.”
43. That is, mirroring the case of the U.S. hacking into the German server.
44. See note 19 above.
45. Furthermore, as Schneider notes, the resources to operate seamlessly and continuously are extensive. See:
Schneider, “Persistent Engagement.”
46. Delerue, Desforges, and Gery, “A Close Look at France’s New Military Cyber Strategy”; and Goetz, Rosenbach, and
Szandar, “National Defense in Cyberspace.”
47. As listed above, already memoranda of understanding exist on CND. These MoUs would focus on CNA.
48. A pre-operation identification of relevant equities and procedures can also promote operational and tactical
effectiveness of cyber command as less decisions have to be made on an ad hoc basis.
49. Nakasone, “A Cyber Force for Persistent Operations.”

Acknowledgements
For written comments on early drafts, I am indebted to Jamie Collier, Florian Egloff, Richard Harknett, Jason Healey,
Herbert Lin, James N. Miller, James Shires, and Diana van der Watt. I also thank the participants of the workshop ‘The
Transatlantic Dialogue on Military Cyber Operations’, held in Amsterdam in August 2019.

Disclosure statement
No potential conflict of interest was reported by the author.

Notes on contributor
Max Smeets is a senior researcher at the Center for Security Studies (CSS). He is also an Affiliate at Stanford University
Center for International Security and Cooperation and Research Associate at the Centre for Technology and Global
Affairs, University of Oxford.

Bibliography
Barnes, J. E. 2019. “U.S. Cyber Command Bolsters Allied Defenses to Impose Cost on Moscow.” The New York Times, May.
https://www.nytimes.com/2019/05/07/us/politics/cyber-command-russian-interference.html
Betz, D., and T. Stevens. Cyberspace and the State: Towards a Strategy for Cyber-Power. Abingdon: Routledge, Adelphi
Series, 2013.
Bing, C. 2018. “Command and Control: A Fight for the Future of Government Hacking.” Cyberscoop, April 11. https://
www.cyberscoop.com/us-cyber-command-nsa-government-hacking-operations-fight/
 INTELLIGENCE AND NATIONAL SECURITY 9

Borghard, E., and S. Lonergan. 2018. “What Do the Trump Administration’s Changes to PPD-20 Mean for U.S. Offensive
Cyber Operations?” CFR Net Politics Blog. https://www.cfr.org/blog/what-do-trump-administrations-changes-ppd
-20-mean-us-offensive-cyber-operations
Buchanan, B. The Cybersecurity Dilemma: Hacking, Trust and Fear between Nations. Oxford: Oxford University Press, 2017.
Buchanan, B., and R. D. Williams, 2019. “A Deepening U.S.-China Cybersecurity Dilemma.” Lawfare, October. https://
www.lawfareblog.com/deepening-us-china-cybersecurity-dilemma
Chesney, R. 2018. “Title 10 and Title 50 Issues When Computer Network Operations Impact Third Countries.” Lawfare,
April 12. https://www.lawfareblog.com/title-10-and-title-50-issues-when-computer-network-operations-impact-
third-countries
Chesney, R. 2018. “An American Perspective on a Chinese Perspective on the Defense Department’s Cyber Strategy and
‘Defending Forward’.” Lawfare, October. https://www.lawfareblog.com/american-perspective-chinese-perspective-
defense-departments-cyber-strategy-and-defending-forward
Chesney, R. 2018. “The 2018 DOD Cyber Strategy: Understanding ‘Defense Forward’ in Light of the NDAA and PPD-20
Changes.” Lawfare, September. https://www.lawfareblog.com/2018-dod-cyber-strategy-understanding-
defenseforward-light-ndaa-and-ppd-20-changes
Chesney, R. 2019. “CYBERCOM’s Out-of-Network Operations: What Has and Has Not Changed over the past Year?”
Lawfare, May. https://www.lawfareblog.com/cybercoms-out-networkperations-what-has-and-has-not-changed-over
-past-year
Cimpanu, C. 2018. “US Cyber Command Starts Uploading Foreign APT Malware to VirusTotal.” ZDNet, November 8.
https://www.zdnet.com/article/us-cyber-command-starts-uploading-foreign-apt-malware-to-virustotal/
Delerue, F., A. Desforges, and A. Gery, 2019. “A Close Look at France’s New Military Cyber Strategy.” April. https://
warontherocks.com/2019/04/a-close-look-at-frances-new-military-cyber-strategy/
Department of Defense. 2019. “Cyber Strategy 2019: Summary.” https://media.defense.gov/2018/Sep/18/2002041658/-
1/1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF
DoD News. 2018. “U.S., Montenegro Conduct Groundbreaking Cyber Defense Cooperation.” October. https://www.
cybercom.mil/Media/News/News-Display/Article/1651540/us-montenegro-conduct-groundbreaking-cyber-defense
-cooperation/
Fischerkeller, M., and R. Harknett. 2017. “Persistent Engagement and Tacit Bargaining: A Path toward Constructing
Norms in Cyberspace.” Lawfare, November 9. https://www.lawfareblog.com/persistent-engagement-and-tacit-
bargaining-path-toward-constructing-norms-cyberspace
Fischerkeller, M., and R. Harknett, 2019. “A Response on Persistent Engagement and Agreed Competition.” Lawfare,
June. https://www.lawfareblog.com/response-persistent-engagement-and-agreed-competition
Goetz, J., M. Rosenbach, and A. Szandar. 2009. “National Defense in Cyberspace.” Spiegel, February. www.spiegel.de/
international/germany/war-of-the-future-national-defense-in-cyberspace-a-606987.html
Goodman, S., J. Kirk, and M. Kirk. “Cyberspace as a Medium for Terrorists.” Technological Forecasting and Social Change
74, no. 2 (2007): 193–210. doi:10.1016/j.techfore.2006.07.007.
GReAT. 2015. “Animals in the APT Farm.” Securelist, March 6. https://securelist.com/animals-in-the-apt-farm/69114/
Guerrero-Saade, J. A., and C. Raiu. 2017. “Walking in Your Enemy’s Shadow: When Fourth-party Collection Becomes
Attribution Hell.” Virus Bulletin Conference. https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/
2018/03/07170728/Guerrero-Saade-Raiu-VB2017.pdf
Hathaway, M. 2013. “Cyber Readiness Index 1.0.” Presentation at Science, Technology, and Public Policy Program.
Cambridge, Massachusetts: Belfer Center for Science and International Affairs, Harvard Kennedy School.
Healey, J. 2018. “Triggering the New Forever War, in Cyberspace/.” The Cipher Brief, April. https://www.thecipherbrief.
com/triggering-new-forever-war-cyberspace
Healey, J. “The Implications of Persistent (And Permanent) Engagement in Cyberspace.” Journal of Cybersecurity 5, no. 1
(2019). doi:10.1093/cybsec/tyz008.
Jinghua, L. 2018. “A Chinese Perspective on the Pentagon’s Cyber Strategy: From ‘Active Cyber Defense’ to ‘Defending
Forward’.” Lawfare, October. https://www.lawfareblog.com/chinese-perspective-pentagons-cyber-strategy-active-
cyber-defense-defending-forward
Jinghua, L. 2018. “What Really Matters in ‘Defending Forward’?” November. https://www.lawfareblog.com/what-really-
matters-defending-forward
Joint Publication 3-12. 2018. “Cyberspace Operations.” June. https://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/
jp3_12.pdf?ver=2018-07-16-134954-150
Kaminska, M., R. Chesney, and M. Smeets. 2019. “A Transatlantic Dialogue on Military Cyber Operations.” Workshop
Report. Amsterdam: University of Texas at Austin, August. https://www.strausscenter.org/images/pdf/Amsterdam-
Workshop-Report-Final-Oct-1.pdf
Kaspersky. 2017. “Spy Wars: How Nation-state Backed Threat Actors Steal from and Copy Each Other.” October 4. https://
www.kaspersky.com/about/press-releases/2017_spy-wars-how-nation-state-backed-threat-actors-steal-from-and-
copy-each-other
McGhee, J. E. “Liberating Cyber Offense.” Strategic Studies Quarterly 10, no. 4 (Winter, 2016): 46–63.
10 M. SMEETS

Miller, J. N., and N. A. Pollard. 2019. “Persistent Engagement, Agreed Competition and Deterrence in Cyberspace.”
Lawfare, April. https://www.lawfareblog.com/persistent-engagement-agreed-competition-and-deterrence-
cyberspace
Modderkolk, H. 2018. “Dutch Agencies Provide Crucial Intel about Russia’s Interference in US-elections.” De Volkskrant,
January 25. https://www.volkskrant.nl/wetenschap/dutch-agencies-provide-crucial-intel-about-russia-s-interfer
ence-in-us-elections~b4f8111b/
Nakashima, E. 2017. “U.S. Military Cyber Operation to Attack ISIS Last Year Sparked Heated Debate over Alerting Allies.”
The Washington Post, May 9. https://www.washingtonpost.com/world/national-security/us-military-cyber-operation-
to-attack-isis-last-year-sparked-heated-debate-over-alerting-allies/2017/05/08/93a120a2-30d5-11e7-9dec-
764dc781686f_story.html
Nakashima, E. 2019. “At Nations’ Request, U.S. Cyber Command Probes Foreign Networks to Hunt Election Security
Threats.” Washington Post, May 8. https://www.washingtonpost.com/world/national-security/at-nations-request-us-
cyber-command-probes-foreign-networks-to-hunt-election-security-threats/2019/05/07/376a16c8-70f6-11e9-8be0-
ca575670e91c_story.html?wpisrc=nl_cybersecurity202&wpmm=1
Nakasone, P. M. 2019. “A Cyber Force for Persistent Operations.” Joint Force Quarterly, January. https://ndupress.ndu.
edu/JFQ/Joint-Force-Quarterly-92.aspx
Pomerleau, M. 2019. “New Authorities Mean Lots of New Missions at Cyber Command.” Fifth Domain, May 5. https://
www.fifthdomain.com/dod/cybercom/2019/05/08/new-authorities-mean-lots-of-new-missions-at-cyber-command/
Schneider, J. G. 2019. “Persistent Engagement: Foundation, Evolution and Evaluation of a Strategy.” May. https://www.
lawfareblog.com/persistent-engagement-foundation-evolution-and-evaluation-strategy
Schneier, B. 2013. “How the NSA Attacks Tor/Firefox Users with QUANTUM and FOXACID.” Schneier on Security, October
7. https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html
Smeets, M. “A Matter of Time: On the Transitory Nature of Cyberweapons.” Journal of Strategic Studies 41, no. 1–2 (2018):
6–32. doi:10.1080/01402390.2017.1288107.
Smeets, M. 2019. “There are Too Many Red Lines in Cyberspace.” Lawfare, March. https://www.lawfareblog.com/there-
are-too-many-red-lines-cyberspace
Smeets, M. “NATO Members’ Organizational Path Towards Conducting Offensive Cyber Operations: A Framework for
Analysis.” In 2019 11th International Conference on Cyber Conflict: Silent Battle, edited by T. Minárik, S. Alatalu,
S. Biondi, M. Signoretti, I. Tolga, and G. Visky. (2019: NATO CCD COE Publications, Tallinn). https://ccdcoe.org/
uploads/2019/06/Art_09_NATO-Members-Organizational-Path.pdf
Smeets, M. W. E., and H. Lin. “4 A Strategic Assessment of the U.S. Cyber Command Vision.” Pp. 81–104, In Bytes, Bombs,
and Spies: The Strategic Dimensions of Offensive Cyber Operations, edited by H. Lin and A. Zegart. Washington DC:
Bookings Institution Press, 2018.
U.S. Cyber Command. 2018. “Achieve and Maintain Cyberspace Superiority: Command Vision for US Cyber Command.”
https://www.cybercom.mil/Portals/56/Documents/USCYBERCOM%20Vision%20April%202018.pdf?ver=2018-06-14-
152556-010
U.S. Cyber Command. 2019. “The 2019 Cyberspace Strategy Symposium.” May. National Defense University, Ft. McNair.
Unknown. 2009. “Memorandum of Understanding between the Department of Defense of the United States of America
and the Ministry of National Defense of the Republic of Korea Concerning Cooperation on Information Assurance (IA)
and Computer Network Defense (CND).” June. https://assets.documentcloud.org/documents/2997984/Document-
04.pdf
Unknown. “Memorandum of Understanding between the Department of Defense of the United States of America and
the Federal Ministry of Defense of the Federal Republic of Germany Concerning Cooperation on Information
Assurance (IA) and Computer Network Defense (CND).” https://assets.documentcloud.org/documents/3002259/
Document-03.pdf
US Cyber Command. 2018. “2018 Cyberspace Strategy Symposium Proceedings.” https://www.cybercom.mil/Portals/
56/Documents/USCYBERCOMCyberspaceStrategySymposiumProceedings2018.pdf?ver=2018-07-11-092344-427