What Many Get Wrong About Persistent Engagement and Why It Matters to Business

You won’t find the word “deter” anywhere in the Biden administration’s new national cybersecurity plan.

That reflects a major shift from the paradigm the U.S. had been using for the past three decades to combat hackers, and it’s largely thanks to the academic who’s been working behind the scenes with U.S. military and intelligence agencies.

Richard J. Harknett, a professor and chair of the Center for Cyber Strategy and Policy at the University of Cincinnati, became the first scholar-in-residence at the U.S. Cyber Command and National Security Agency (NSA) in 2016. With the rising tide of cyberattacks targeting critical infrastructure in the United States, the agencies were looking for fresh perspectives on the problem, and they connected with Harknett.

Identify and contain adversaries before they can spread across your network.

Working in tandem with Michael Fischerkeller from the Institute of Defense Analyses and Dr. Emily Goldman from the Cyber Command, Harknett helped craft what’s now known as the doctrine of persistent engagement, an element of the White House’s recently announced National Cybersecurity Strategy that heads off potential hackers by getting more active to thwart them. Harknett, Fischerkeller, and Goldman would go on to co-author a book on the topic, entitled Cyber Persistence Theory: Redefining National Security in Cyberspace (Oxford University Press, 2022).

Focal Point caught up with Harknett to hear his thoughts about the Biden administration’s adoption of persistent engagement, what it means for business, and how he thinks it is likely to be implemented around the world.

First, what’s your quick definition of persistent engagement?

Persistent engagement is a strategy that suggests that security rests in anticipating the exploitation of vulnerabilities before they occur and leveraging vulnerabilities among adversaries that exist. It rests on a logic of initiative persistence.

Security in cyberspace, because of its fluidity, rests on who can anticipate exploitation before it occurs.

Security in cyberspace, because of its fluidity, rests on who can anticipate exploitation before it occurs. The paradigm that the United States had been using for 20 to 30 years was based on deterrence: We tried to convince the other side not to attack. In the 2018 National Cybersecurity Strategy, even though the Trump administration started to implement it, persistent engagement was still lagging for a variety of reasons. It rested mostly on deterrence.

But in this document [released in March from the Biden administration], the word “deter” doesn’t even show up. That’s a significant pivot from how the United States thought about the cybersecurity space for decades.

[Read also: What businesses need to know about Biden’s national cybersecurity strategy]

So, is persistent engagement about shifting from defensive to offensive approaches?

I’d encourage you not to think in those terms.

Oh? And yet, that’s how it’s often described.

This is about moving from a reaction force to a persistent force. The reason I suggest looking at it that way is the environment of cyberspace is so technically fluid that you need to be able to anticipate what someone might do to you. It’s not about flipping back and forth from offense to defense. It’s about making sure you have the initiative, instead of the other guy.

It’s not about flipping back and forth from offense to defense. It’s about making sure you have the initiative, instead of the other guy.

This is where the Cyber Command’s “hunt forward operations” come into play, where you work with partner nations to hunt for potential adversary malware or tactics, where you’re getting out in front of adversaries before they can execute on vulnerabilities.

By taking a more aggressive stance, aren’t we risking a glass house syndrome where we make ourselves even bigger targets?

I would call it being more active, and being more active is not ipso facto being more aggressive.

When persistent engagement was quietly rolled out a few years ago, retaliation was a concern. But operationally, what we found was that you can do this kind of thing without escalatory dynamics occurring. In fact, you can produce defensive effects when you’re being more active.

In our book, we argue that most state and even non-state actors have been really staying well below the level of engaging in all-out cyberwarfare. They are more focused on what we call strategic competition.

That sounds like a business marketing term.

It affects U.S. businesses. This is one of the things that the Biden strategy really emphasizes: that we’re in a strategic competition more than a war. In other words, hackers chip away at your economic competitiveness, your military advantage, and your democratic institutions through cyber campaigns and operations.

[Read also: 5 charts that show it pays to prevent a cyberattack rather than fight one]

They try to undermine you. But all that stops well short of what we’d call warfare.

What’s your view on the U.S. potentially banning TikTok, the Chinese app, over cybersecurity fears?

TikTok is a national security threat as both an intelligence-gathering and influence platform. Think Voice of America from the Cold War and World War II, but communications land in 150 million pockets. Why would Beijing not use our playbook against us, add AI, and win without fighting?

How should businesses be thinking about and addressing this latest national cybersecurity strategy?

Stop looking at IT as a cost-savings department. The main priority of business is profit and that’s fine. But recognize that if you’re operating in cyberspace, it is rife with vulnerabilities that can be exploited by criminal organizations and nation-states.

Stop looking at IT as a cost-savings department. Recognize that if you’re operating in cyberspace, it is rife with vulnerabilities.

If you live in an interconnected space—and that’s what network computing is—IT must be central to your business practices, and you have to be secure by default.

[Read also: Huge fines are a wake-up call to prioritize data security]

So it’s not just a government strategy; the private sector can stay active by maintaining good cyber hygiene, conducting threat hunts, getting cyber experts on the board, and so on. You want enterprises to take more responsibility, especially in the tech sector, which may see more regulation. Given the current political climate, do you see this plan getting bipartisan support?

I would submit that the climate for a plan like this is probably better than it has been in two decades. I think there is room in the next two years to find common ground and start laying out incentives and disincentives to make this real. And we must, because if we don’t, the losses from cyber insecurity will be too significant. I think lawmakers know that if we don’t get a handle on this, it won’t be good for business, and it certainly will not be good for national security.