Overclassification of Offensive Cyber Operations. Unclassified U.S. government discussion of America’s offensive cyber capabilities has been quite limited for many years. For a long time, the U.S. government did not want to advertise to the world that the nation even had an interest in carrying out offensive cyber operations, and U.S. policy regarding the classification of this interest reached absurd extremes.
Rationale for Classification. Exposing a particular operational offensive cyber program that takes advantage of specific vulnerabilities in adversary systems alerts adversaries to remediate those vulnerabilities.
Keeping Coherent Cyber Strategy. Secrecy and classification potentially reduce the coherence of cyber strategy. Because of the restrictions imposed by a “need to know” environment, individuals in the National Security Agency may be unaware of developments in doctrine occurring in the Office of the Secretary of Defense, and so forth. Without cross-pollination and engagement across agencies, the resulting strategy could easily be inconsistent and possibly deficient.
Adoption Across the Services. Military service members who do not specialize in cyber operations need a general familiarity with them so they can understand and assess what the operational use of offensive cyber capabilities means for the responsibilities of their current positions as well as future billets. Otherwise, service members of other military occupational specialties will be unable to reasonably consider such capabilities in planning an operation. Concerns about how front-line personnel should respond to a tactical cyber incident are accentuated because kinetic conflict is likely to be preceded by the use of cyber weapons.
Enabling Discourse. Policymakers (both military and civilian) need to know in general terms what cyber operations can and cannot do, what is needed to prepare for such operations, and how the outcomes of offensive cyber operations, both successful and unsuccessful, might implicate other interests and equities, such as inadvertent conflict escalation.
Taylor Grossman is Technology Analyst at Clark Street Associates, a consulting firm in Palo Alto that works with emerging technology companies. Previously, she was Cyber Research Associate at the Hoover Institution, Stanford University, where she conducted research in cyber policy and cybersecurity. She has also served on the staff of the Office of the Assistant Secretary of Defense for Public Affairs. Taylor has a B.A. in Political Science with Distinction and Honors in International Security Studies from Stanford University. Her senior thesis on homeland security warning systems won the Firestone Medal for excellence in undergraduate research.
Dr. Herbert Lin is senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Research Fellow at the Hoover Institution, both at Stanford University. He is one of twelve commissioners selected by the White House and Congressional leadership for the President’s Commission on Enhancing National Cybersecurity. He is also Chief Scientist, Emeritus for the Computer Science and Telecommunications Board, National Research Council (NRC) of the National Academies and Adjunct Senior Research Scholar and Senior Fellow in Cybersecurity (not in residence) at the Saltzman Institute for War and Peace Studies in the School for International and Public Affairs at Columbia University. Prior to his NRC service, he was a professional staff member and staff scientist for the House Armed Services Committee (1986-1990). He received his doctorate in physics from MIT.
Herbert Lin, Ph.D.
CH. 19 - The Practical Impact of Classification Regarding Offensive Cyber Operations
CHAPTER 19 - AUTHORS
Sample Chapter Table
The over classification of offensive cyber operations has stymied public debate and left policymakers bereft of a host of academic and public insight into pressing challenges. The benefits of this classification must be weighed against the potential cost and a more equitable balance found than currently exists. Given the diversity of stakeholders in cybersecurity and the onus on the private sector, a balanced debate with informaiton in the public sphere is critical to healthy and effective policymaking.