“I’d say our [cyber] defense isn’t working” – Former Director of the National Security Agency Keith Alexander.
In a keynote address at the American Enterprise Institute, Alexander told the audience that “if everybody’s getting hacked … industry and government … the strategy that we’re working on is flawed.” Critical infrastructure is vulnerable to cyberattacks and several nation states have developed the necessary cyber arsenal to strike critical infrastructure. Yet, our cyber defense isn’t working. This is not the first time nations have developed weapons that break through defense systems. The nuclear terror of the Cold War presented a similar complication.
In cyber defense, can Cold War-style deterrence work? Relying primarily on the words of Keith Alexander, Eric Rosenbach (principal cyber advisor to the Secretary of Defense), and Scott Jasper (retired Navy captain and lecturer at the Naval Postgraduate School), Mark Pomerleau examines this question in an article for DefenseSystems.com.
Pomerleau first sets out Jasper’s definition for deterrence, breaking it down into potentially three components: deterrence by punishment (the threat of retaliation), deterrence by denial (the ability to prevent benefit), and deterrence by entanglement (mutual interests). According to Rosenbach, a cyber deterrence policy would require a “whole-of-government” approach, in which the Department of Defense would need to:
(1) develop the capabilities to deny a potential attack from achieving its desired effect
(2) increase the cost of executing a cyberattacks . . . DOD must be able to provide the president with options to respond to cyberattacks on the U.S., if required through cyber and other means,
(3) ensure that we are resilient, so if there is an attack that we can bounce back.
However, Pomerleau goes on to describe a number of issues in the cyber realm that differentiate the cyber defense situation from the Cold War nuclear defense situation. First of all, attribution is difficult in the cyber realm due to the ability of adversaries to re-route the source to a different location providing plausible deniability. Second, deterrence will not be as effective with the numerous criminal non-state actors involved in cyber attacks. Finally, traditional nuclear deterrence relies on an adversary having knowledge of the destruction that will result if they make a move, whereas in the cyber realm the effectiveness of a cyber threat depends in part on the secrecy of weapons.
While Pomerleau also describes potential solutions, they are couched in vague terminology, providing little reassurance. For instance, Rosenbach addresses the attribution problem by suggesting that the government reduce anonymity in cyberspace, without providing any information as to how the government would be able to accomplish that objective. Pomerleau also stresses the importance of international frameworks, a view shared by most, but despite numerous international conferences the vulnerabilities in cyberspace are still on the rise.
After finishing Pomerleau’s article, I pulled out a book of essays on cyber deterrence compiled by the National Research Council of the National Academies*. In one of the essays** in the book, Stephen J. Lukasik compared the nuclear deterrence policy to deterrence issues in the cyber realm. While Lukasik described many of the same issues in Pomerleau’s article, he noted the three aspects of deterrence that remain invariant:
(1) A defender’s response must be seen as technically feasible. In the nuclear case, very visible weapon tests and well publicized images of nuclear detonations and measured global radioactive fallout provided convincing demonstrations of feasibility.
(2) [T]he defender must be seen as credible, willing as well as able to respond. U.S. nuclear weapon use in WWII established that, and equivalent Soviet nuclear capabilities left little doubt what its respond to a nuclear attack would be.
(3) [D]efense through deterrence requires being able to respond, with in-being offensive capability. While response to a cyber attack need not be a cyber counter-attack, international principles of armed conflict speak to proportionality of response and escalation control favors responding in kind. Thus cyber offense is a component of cyber deterrence.
I agree with Lukasik that feasibility, credibility, and ability are the cornerstones to a successful deterrence policy, but can this work in cyber defense? It seems like all three of those objectives suggest some sort of a demonstration to the world that it is feasible, we are able to strike, and our threats should be taken seriously.
While Lukasik argues that the response to a cyber attack should be limited to cyber offense, Rosenbach is cited in Pomerleau’s article advocating for a response policy that uses all the tools of foreign policy and military options.
This is a global issue, and everyone will be watching what policy the United States ultimately follows to fix the flaws in their cyber defense. If we continue to limit offensive actions, we limit deterrence by punishment. On the other hand, if we are too aggressive, we could open the door to more attacks. I agree with Rosenbach:
“The U.S. is a glass house when it comes to cyber.”
To read the full DefenseSystems.com article by Mark Pomerleau, click here.
*Proceedings of a Workshop on Deterring Cyberattacks – Informing Strategies and Developing Options for U.S. Policy, compiled by the National Research Council of the National Academies
**A Framework for Thinking About Cyber Conflict and Cyber Deterrence with Possible Declaratory Policies for These Domains, by Stephen J. Lukasik
Leave a Reply