2
Cybersecurity in America: The US National Security Apparatus and Cyber Conflict Management

2.1. Introduction

Although cyber issues have become increasingly important in international security debates over the past decade, much remains unknown about how they are perceived, interpreted and managed by states. In the United States, a major player in the field since the first cyber policies of the mid-1980s, there has been a marked tendency in the literature on national security to adapt or recycle old notions, essentially inherited from the Cold War era and from classical theories of international relations. In recent years, we have thus seen a proliferation in American security debates of ideas and concepts such as "cyberpower" (Betz and Stevens 2011), "cyber deterrence" (Libicki 2009; Nye 2017) and even "cyber security dilemma" (Buchanan 2016). Struggling with a new phenomenon disrupting the international system, the US national security literature seems to seek to integrate the "cyber revolution" into preexisting theories the same way it once integrated the "nuclear revolution" (Kello 2017).

In so doing, such research tends to ignore some important underlying dynamics in understanding cyber conflict. As we witness the emergence of different national conceptions, priorities and strategic cultures regarding the cyber domain (Williams 2019), how do we explain their respective genesis and what importance should be given to these disparities? How do states construct their "national interest" in the cyber domain and on the basis of what logic do they defend it? Do they actually do so in a rational manner, or do we witness clear contradictions and suboptimal choices in the way they manage cyber conflict? If one intends to address these questions, it seems essential to also pay attention to the internal dynamics of each state.

In this chapter, we propose to use foreign policy analysis (FPA1) approaches in order to examine state decision-making processes on cyber issues. Inspired by the research of scholars such as Graham Allison (Allison and Zelikow 1999), Morton Halperin (Halperin and Clapp 2006), Valerie Hudson (Hudson 2005) and Amy Zegart (Zegart 2000), our approach aims to shed light on how the United States, at the domestic level, perceives and understands cyber issues and how decisions and policies in this area are elaborated. This method mostly rejects the notion of the unitary state as a central unit of analysis, and rather focuses on the role played by (among others) institutions, organizations and individuals in the formulation of foreign policy. More broadly, such an approach suggests that by focusing on agents, that is to say, the producers of foreign policy, it is possible to better understand why and how they think and act differently from one another - thus rendering any rational explanation of state behavior invalid and unpredictable (David and Rapin 2018).

Using the United States as a case study, this chapter aims to demonstrate how and why cyber conflict management by a state is often distorted and affected by different societal and institutional dynamics, issues of organizational culture and bureaucratic rivalries, as well as disparities in the dispositions and personal positioning of key decision-makers. On the basis of three levels of analysis (societal and institutional, governmental-bureaucratic and governmental-individual), this research will shed light on the mechanisms of competition, negotiation and integration of the different political, corporate and personal agendas that stir up the decision-making process in the cyber domain. From the first policy document adopted by the United States on cyber issues (the National Policy on Telecommunications and Automated Information Systems Security, signed by Ronald Reagan in 1984) to the elevation of the US Cyber Command to the rank of unified combatant command in 2018, this chapter draws on various key moments in US cyber decision-making2. In so doing, we illustrate how domestic factors give rise to numerous contradictions and dysfunctions in the way the US national security apparatus understands and manages cyber conflict.

2.2. Societal and institutional dynamics

A first set of factors affecting cyber conflict management in the United States unfolds at the societal and institutional levels (for a theoretical overview of these issues, see Halperin and Clapp (2006)). These factors are essentially based on economic, cultural and legislative imperatives and stem from the role played by the private sector, US states and the legislative branch in decision-making on cyber issues. We show here that these factors often contribute to slowing down or constraining federal government decision-making and may occasionally generate suboptimal choices in matters of cybersecurity. At least three significant dynamics can be identified in this regard.

First, cyber issues directly affect the activities of the private sector and are thus subjected to significant efforts by companies (particularly those in the communications technology industry) to prevent the emergence of regulations that may restrict their activities3. Through public-private consultation processes, and also through important lobbying channels within the US political system, the private sector has repeatedly shown itself capable of curbing or reshaping various cybersecurity-related measures discussed in Washington. This is particularly true of critical infrastructure protection, which successive administrations have tried to bolster since the mid-1990s, without succeeding in introducing legal cybersecurity standards outside the public sector (Kaplan 2016, pp. 97-101, 275-278). This is despite the fact that cyberattacks on electrical or financial infrastructures are regularly cited as a major threat by US national security actors (Latiff 2018, pp. 3-4).

According to Richard Clarke, former "cybersecurity czar" under Bill Clinton, this inertia is in good part due to the importance of campaign donations in the US political process, as well as the impacts of the "revolving door" phenomenon4 within the government workforce, which both grant a major influence on cyber policy-making to the private sector. In this respect, he recounts an enlightening anecdote that occurred in 2002 involving himself and President George W. Bush, whom he was advising at the time:

I had gone to him in the Oval Office with news of a discovery of a pervasive flaw in software, a flaw that would allow hackers to run amok unless we could quietly persuade most major networks and corporations to fix the flaw. Bush's only reaction was: "What does John think?" John was the CEO of a large information technology company and a major donor to the Bush election committee. (Clarke and Knake 2010, pp. 106-110, 263)

In a similar manner, Amy Zegart and Michael Morell (former Deputy Director of the CIA) also note the impacts of the privatization of security within the US government apparatus: "embedded contractors" working within intelligence agencies, for example, frequently tend to prevent or stifle the adoption of new computer programs and systems when these have not been developed by their own companies (Zegart and Morell 2019, p. 92). In other words, despite relatively clear national security imperatives, the private sector regularly succeeds in pushing its profitability and competitiveness priorities into the decision-making process on cyber issues.

Second, because of the decentralized nature of the American political system, there are also important mismatches in the distribution of prerogatives - and therefore resources - between federal and sub-federal authorities (states, counties, etc.) regarding cybersecurity. Richard Andres notes a persistent tendency to recreate and maintain, with respect to cyber issues, the same federal-state organization designed in the past to manage more traditional security issues, thus failing to take into account the particularities and constraints specific to the domain (Andres 2012, pp. 91-92). This has resulted in a number of gaps in capacity and expertise at the state level, where states manage various critical systems and infrastructure (such as electricity or water grids) but are not always equipped to ensure their integrity (Cohen and Nussbaum 2018). A wave of cyber intrusions in 2019 on various power infrastructures in the central and western United States suggests that hackers (suspected of acting on behalf of adversary powers) deliberately targeted small, locally managed facilities, banking on the fact that they would be poorly defended (Smith and Barry 2019).

In addition to this institutional immobility, there are various resistances of a more ideological nature on the part of states to certain federal initiatives. American states, traditionally suspicious of an overly centralized government, tend to forcefully defend their prerogatives against "Washington overreach". This dynamic largely extends to the sphere of national security, where threats highlighted by the federal government are often perceived (and denounced) by states as excuses to legitimize an undue takeover. In cybersecurity, this dynamic was most notably seen in the context of the Russian interference in the 2016 presidential election. Managed on a state-by-state basis, election systems and infrastructure were a cause of serious concern for the Department of Homeland Security (DHS), which feared that voting systems may be subject to hacking. The DHS...