News | May 4, 2023

Cyber Persistence Theory: Redefining National Security in Cyberspace

By Stafford A. Ward Joint Force Quarterly 109

Download PDF

Stafford A. Ward is a Cyberspace Integration Planner in the Partnerships Division at U.S. Cyber Command (USCYBERCOM) and is also a USCYBERCOM Commander’s Civilian Development Fellow, in a program established by USCYBERCOM Commander General Paul Nakasone.
Air Power Supremo: A Biography of Marshal of the Royal Air Force Sir John Slessor
Cyber Persistence Theory: Redefining National Security in Cyberspace
By Michael P. Fischerkeller, Emily O. Goldman, and Richard J. Harknett
Oxford University Press, 2022
266 pp. $28.45
ISBN: 9780197638262
Reviewed by Stafford A. Ward

Few books have been written in the recent past whose stated intent has been to influence and shape the perceptions of foreign and defense policymakers. In the spirit of the famed Stanford University political scientist Alexander George, who wrote Bridging the Gap: Theory and Policy in Foreign Policy, the authors of Cyber Persistence Theory: Redefining National Security in Cyberspace have successfully bridged the gap with a thought-provoking, accessible academic analysis. Cyber Persistence Theory holistically examines the current cyberspace environment in a way that is sure to be useful to U.S. cyberspace policymakers and operators.

The arguments advanced by the writers artfully explore the structure of the new cyberspace environment. The authors are a qualified mix of cyberspace academics and practitioners who succinctly capture their previously published thoughts on cyberspace to advance a coherent and novel concept of cyber persistence theory. Successfully communicating a theory to a range of communities can be a heavy lift, but the authors have included extensive footnotes that provide resources through which readers can delve deeper as needed into the concepts discussed, such as structural realism, agreed competition, balance of power, and offense-defense theory.

The heart of Cyber Persistence Theory explains that

the primary [cyber faits accomplis] and secondary [direct cyber engagement] behaviors of States in and through the cyber strategic environment . . . are consequences of a structural imperative to persist and of a structurally derived strategic incentive to pursue gains through cyber exploitation short of armed-attack equivalence.

This theory argues that cyberspace exploitation, the most dominant form of cyberspace activity, represents strategic competition and therefore should be understood as one state’s gaining cyberspace advantage through another’s cyberspace vulnerabilities in a short time frame. To make their case, the authors consider various international relations theories and strategic concepts to establish the foundation of persistence theory for the reader. They bridge the gap by drawing on international affairs scholarship by authors including military and nuclear strategists such as Thomas Schelling, Kenneth Waltz, Carl von Clausewitz, and Bernard Brodie, as well as scientific philosopher Thomas Kuhn. In particular, the authors acknowledge Waltz, the founder of neorealism, or structural realism, as defining the international system as a “condition of insecurity . . . that works against [international] cooperation.” Because states in our era of Great Power competition are leveraging malicious cyberspace activities as an alternate means of accomplishing their geopolitical goals, there is no inherent incentive for those states to cooperate as they would in the concert of international diplomacy. In sum, there is no United Nations in cyberspace.

The first four chapters of the book thoroughly explain the theoretical concepts that define the cyberspace environment; they are followed by several chapters examining real-world cases of cyberspace campaigns among both micro-resilient and micro-vulnerable states. For example, the authors highlight the U.S. Government’s cyberspace operations to disrupt the so-called Islamic State’s online propaganda activities, Russia’s compromise of U.S. networks, and China’s zero-day exploitations of commonly used software applications, such as Microsoft Exchange and Adobe Flash.

With the foundations of cyber persistence theory established, the authors move to explain the three strategic environments that characterize the entire human history of security: conventional, nuclear, and cyberspace. Conventional security rests in the presence of war, nuclear security rests in the absence of war, and cyber security rests in the alternative to war. The authors point out that most policymakers and operators currently frame cyberspace in a Cold War context, which maps inaccurately to the current strategic cyberspace environment. The authors argue that “interconnectedness” is the core structural feature of the cyber strategic environment, requiring continuous integrated campaigning and supported by ongoing collaboration, integration, and synchronization across all relevant cyber planning and operational players and all instruments of national power. Cyber persistence theory also suggests that cyberspace operations are not inherently escalatory, and such operations rarely cross the upper bound of agreed competition, or the threshold of warfare, into kinetic operations.

Cyber Persistence Theory also defines the evolution from the two strategic environments to the current cyberspace strategic environment as a paradigm shift that necessitates a change in strategic thinking among policymakers, senior defense leaders, and joint force operators. Thomas Kuhn, the authors note, “writes that a paradigm provides a community with its basic assumptions, key concepts, and methodology. . . . For a shift, or ‘change in worldview,’ to occur, there must be a realization of the misalignment between theory and reality.” The authors argue that the misapplication of the paradigms of conventional and nuclear environments to cyberspace represents a failure to understand the nature of the cyber environment. This is sure to generate discussion among scholars and strategists alike. For example, Cyber Persistence Theory argues that cyber policymakers who plan to hold cyber targets at risk fail to understand that cyberspace is an environment where seizing targets of opportunity is a better policy prescription, given the highly dynamic nature of cyberspace.

The authors also offer insights for diplomats and specialists in international law who must devise methods for minimizing risks inherent in the international system due to malicious cyber activities. As supplementary reading, policymakers and joint force operators should consider the late Columbia University political scientist Robert Jervis’s essay “Cooperation Under the Security Dilemma,” to aid in their addressing international cooperation in cyberspace. Would inter-state cooperation create security advantages among like-minded states in an environment of interconnectedness? Is Waltz correct that such cooperation in cyberspace might not completely provide states with security guarantees against states acting outside of responsible cyberspace norms?

Cyber Persistence Theory will help policymakers and cyberspace warriors and operators to make sense of the work they do daily, offer a sense of purpose, and help to both shape and articulate the cyberspace environment. Cyberspace Persistence Theory should be mandatory reading for joint force operators, policymakers, diplomats, and law enforcement specialists, to provide them with a richer understanding of early-21st-century cyberspace. JFQ