On Jan. 12th, 2012, Jack Goldsmith authored a great post for Lawfare about the problems with US cybersecurity deterrence. That post referenced another article written for the Council of Foreign Relations by Adam Segal; the article was titled A Chinese View on Why Cyber Deterrence Is So Hard.
Segal's CFR article analyzed a China Defense Daily piece that questioned whether the US can deliver on its cyber-deterrence aims. Specifically, the Chinese questioned the US ability to attribute cyberattacks and noted that even if the US does retaliate, "the impacts on networks are often limited and can be quickly recovered from." Interestingly, Segal raised the question whether US intelligence agencies have in fact solved the attribution problem, or whether they just claimed they did.
Goldsmith picks up on that question, and notes that deterrence is tough because "the credibility of [the US government's] public response to the operations depends in part on being able to convince various audiences in the United States and abroad that the attribution is accurate." Continuing on, Goldsmith hones in on what I think is the biggest problem with the US cyber-deterrent strategy: "if the US government is willing to retaliate."
***
Although not exactly the same as retaliation, the Obama administration refused to use offensive cyberattacks against Libya because of the precedent it could set. The US is highly vulnerable to cyberattack, so that concern over setting precedent is valid. Would that reluctance to use cyberattack carry over to retaliation against cyberattack? What about cyber-espionage? I'll admit that I accepted the NSA's claims of successful attribution a bit too quickly. I still accept those claims. Even if attribution isn't 100%, the day is coming when it will be. And even if attribution isn't 100%, and the US retaliates against the wrong hacker group, wouldn't some level of general deterrence (albeit less credible deterrence) be better than no deterrence at all? At the end of the day, I don't think the problem is attribution, or capability, or effectiveness; I think the issue is the US willingness to retaliate. There are good reasons why we should be reluctant to retaliate. However, how effective is our cyber-deterrent strategy if we're not willing to retaliate?
***
The Lawfare blog post can be found here.
The CFR article can be found here.
There is more to both the article and post, so I recommend checking both out.
Leave a Reply