In cyber defense, can Cold War-style deterrence work?
Military deterrence efforts are as old as battle tactics. From troop build-ups to increased armaments to robust strategies on highly advanced warfare such as nuclear arms, military strategists and commanders have intently studied the art of deterring adversaries.
But deterrence in cyberspace is a different game. With the proliferation of technology, the Internet and greater connectivity, malicious actors in cyberspace are able to operate much more freely than in the physical world. The number of cyberattacks on both government and commercial networks is growing, and established practices for protecting those networks could be falling short. Former director of the National Security Agency Keith Alexander, in a keynote address last week at the American Enterprise Institute said flatly, “I’d say our defense isn’t working.” Citing recent cyberattacks from Iran, China, Russia and North Korea, Alexander told the audience that “if everybody’s getting hacked… industry and government… the strategy that we’re working on is flawed.”
So is deterrence an option? Can the type of military deterrence policies that have worked in the physical world be applied to cyberspace? It’s an issue military leaders are starting to focus on.
As Scott Jasper, retired Navy captain and a lecturer at the Center for Civil-Military Relations and the National Security Affairs Department at the Naval Postgraduate School, wrote in a recent essay for Strategic Studies Quarterly (PDF), “The aim of deterrence is to create disincentives for hostile action and normally involves two components: deterrence by punishment (the threat of retaliation) and deterrence by denial (the ability to prevent benefit). Some notable scholars have suggested a complementary third component: deterrence by entanglement (mutual interests) that encourages responsible behavior of actors based on economic and political relationships.”
In an attempt to outline the Defense Department’s framework and strategic interests in cyber deterrence at a Senate Armed Services Subcommittee hearing last week, Eric Rosenbach, principal cyber advisor to the Secretary of Defense, described deterrence policy as a “[w]hole-of-government cyber strategy to deter attacks. This strategy depends on the totality of U.S. actions to include declared deterrent policy, overall defensive posture, effective response procedures, indication and warning capabilities, and the resilience of U.S. networks and systems.”
In addition to DOD’s three missions for cyberspace—defending DOD networks, defending U.S. networks overall against significant attacks and providing full-spectrum cyber support for military operations—Rosenbach outlined three roles the Defense Department can play within the whole-of-government approach. “We need to develop the capabilities to deny a potential attack from achieving its desired effect,” he said. “Second, the U.S. must increase the cost of executing a cyberattack, and this is where DOD must be able to provide the president with options to respond to cyberattacks on the U.S., if required through cyber and other means… And finally, we have to ensure that we are resilient, so if there is an attack that we can bounce back.”
Jasper in his essay noted that current deterrence strategies, specifically those involving retaliation, are compounded by the fact that attributing a cyberattack to its source is difficult given that Internet routing can allow bad actors to conceal their identity and give them plausible deniability. Rosenbach also addressed this concern, saying that the government must reduce anonymity in cyberspace so that “adversaries who attack us don’t think that they can get away with it.”
Given the anonymity in cyberspace, typical military deterrence policies must be tweaked and tailored to the specific threat. For example, Rosenbach said, the U.S. government’s response to a cyberattack might not be retaliation in the cyber realm. “[S]omething I would like to emphasize is, although it’s a cyberattack, we don’t think about the response purely through cyber lens; it would be all the tools of foreign policy and military options,” he told lawmakers.
Furthermore, the level and effectiveness of deterrence depends on the attacker. Certain state actors are can be deterred more than others, while criminal, non-state actors are the most difficult to deter, he said. Asked during the hearing whether adversaries view attacks against government agencies as low-risk, Rosenbach said, “I would say [our adversaries] probably do view it as low risk when it comes to exploitation and trying to steal data. I would say it’s considerably higher risk if they were to conduct a destructive attack against a DOD network – the deterrence level there is much higher and I think they see that as higher risk, which is what we go for.”
No nuclear option
In terms of the overall efforts at of cyber deterrence, Jasper wrote: “The concept of deterrence is still hotly debated in the cyber community, because, for instance, traditional nuclear deterrence relies on an adversary having knowledge of the destruction that will result from transgressions, which is not possible in cyber because the secrecy of weapons is necessary to preserve their effectiveness.”
Sen. Bill Nelson (D-Fla.), during last week’s subcommittee hearing, suggested that nation states could be deterred by the potential of cyberattacks. “Critical infrastructure is vulnerable, but at least there is deterrence with folks like Russia and China, because they have a lot to lose as well knowing that we could respond offensively with a large-scale attack on their economic parties. So it’s just like the [intercontinental ballistic missiles] of years ago – mutual assured destruction.” But Rosenbach said that the notion of a comparable nuclear deterrent and cyber deterrent strategy is unfounded. “[T]he analogy with nuclear part is not that strong,” he said.
Rosenbach said the biggest challenge in cyber deterrence and response efforts is a balance between “making sure we deter enough that the attack doesn’t come but we don’t escalate things to the point that bring more attacks upon ourselves,” he stated. “The U.S. is a glass house when it comes to cyber.”
That’s why the United States is employing other tools, such as economic sanctions. President Obama recently signed an executive order that would allow sanctions to be applied to malicious actors who commit aggressive hacks against government and private-sector infrastructure, as well as individuals who profit from stolen information as a result of such hacks.
While the area of protecting cyberspace is still relatively new—and, as Rosenbach pointed out, entities such as the U.S. Cyber Command are still nascent—governments will continue to work on effective strategies to ensure proper defense and respond to cyberattacks. International frameworks are also important, which is why representatives from nations around the world gathered at the Global Conference on Cybersecurity htlast week.
The U.S. government, particularly DOD, will continue to develop frameworks for that whole-of-government approach to cyber defense. As Alexander said last week, “whose responsibility is it to protect the country? The Defense Department… it doesn’t say ‘except these kind of attacks’ because if somebody attacks in cyber, the distance between cyber and physical attacks can be very short.”
Mark Pomerleau is a former editorial fellow with GCN and Defense Systems.