27 September 2015

IN SEARCH OF CYBER DETERRENCE

SEPTEMBER 24, 2015

The U.S. government needs to be clear and credible as to what actions it will not stand for and how it will retaliate.

In recent months, the Obama administration has advocated a strategy of deterrence to combat the growing cyber threat. Released in April, the Department of Defense’s 2015 Cyber Strategy calls for a “comprehensive cyber deterrence strategy to deter key state and non-state actors from conducting cyber attacks against U.S. interests.” Almost concurrently, President Obama signed an executive order giving the Secretary of the Treasury authority to issue sanctions against actors that launch cyber attacks on the United States. And recently, Commander of U.S. Cyber Command Admiral Michael Rogers echoed the policy, advocating deterrence by increasing costs of an attack and decreasing perceived odds of success. The deterrence message is broadcasting on all channels.

Deterrence in Action?

It makes sense that the administration would rely heavily on deterring threats. As Obama himself pointed out at Fort Meade earlier this month, “offense is moving a lot faster than defense” in the cyber arena. The open-access tradition and unsecured infrastructure of the internet creates an offense-biased environment; it is easier to perpetrate an attack than it is to defend against the myriad ways a network can be compromised. The current technology simply favors the offense. That bias should, in theory, encourage a deterrence strategy. However, it is becoming increasingly clear that the theory is not functioning well in practice.

Despite the policy and recent provocation, the United States appears to have taken very little visible action to respond to cyber attacks, a point which has not escaped the notice of policy observers like Foreign Policy’s David Rothkopf, who commented that the United States has “a deterrence deficit.” Similarly Director of National Intelligence James Clapper testified in front of Congress that the United States has failed to create “both the substance and the mindset of deterrence.” In a somewhat more pointed commentary, The Daily Beast’s Shane Harris asked, “is the Obama administration’s hand-wringing over Chinese cyber spying making the U.S. look like chumps?” In fact, Chinese President Xi Jinping pays his first state visit to the United States this week, which may allow an opportunity to discuss cyber issues, but the visit certainly does not convey the image of a great power provoked into retaliation. Unfortunately, in a deterrence strategy, that image matters.

A functional deterrence strategy may be possible for the United States, and given the offensive nature of the cyber environment, it may even be the best choice available. However, in order to have even a chance at success, policymakers should keep in mind three basic requirements for a deterrence model. Two of these requirements have remained essentially unchanged since the Cold War days of Thomas Schelling. In order for a deterrence strategy to work, a state must clearly communicate its intentions, and its communication must be credible. Current context adds one further requirement to this framework—in order to establish a credible deterrent, a state must have the capability to identify the source of an attack.

Communication

President Obama and the DoD Cyber Strategy state in almost identical words that the United States will respond to attacks on its interests “in a place and manner and time that we choose,” which does convey a convincing sense of bravado, but does little for a deterrence strategy because it does not establish clearly what the cost of an attack would be. A successful deterrence strategy also communicates the trigger for punitive countermeasures. DoD’s cyber policy establishes that it will take action on a case-by-case basis to defend the United States and its interests from “attacks of significant consequence,” which may, in turn, include “loss of life, significant damage to property, serious adverse U.S. foreign policy consequences, or serious economic impact.” But that leaves more gray area than clarity. For example, at what point is theft of intellectual property considered to be “serious economic damage?” How many SF-86 forms must be stolen to achieve the level of “serious adverse foreign policy consequences?”

Of course, the administration is limited in their public comments on responses to cyber attacks, both for the sake of maximizing flexibility in their options and in order to protect the details of any planned countermeasures. Furthermore, granular operational detail is not appropriate in a broad strategy document. But it is hard to convince an adversary of the costs of confronting the United States without making those consequences and the actions that trigger them clear.

Credibility

In his recent appearance at Ft. Meade, President Obama discussed tension with China on cyber issues, saying the Chinese could “choose to make this an area of competition — which I guarantee you we’ll win if we have to.” This is not the first time President Obama has suggested consequences for China. With his April executive order granting the Secretary of the Treasury authority to impose sanctions against “persons engaging in significant malicious cyber-enabled activities,” President Obama signaled a willingness to exercise sanctions as a deterrent. But between ongoingwaffling over sanctions and the imminent Chinese state visit, it seems increasingly unlikely that the administration will follow through on the threat until further provocation emerges.

Given the classified nature of cyber activity, observers should allow for the possibility of an unacknowledged U.S. response to Chinese activities. The North Koreans claimed just such a response after repeated network disruptions following the Sony hack. Further rumors of U.S. offensive capabilities erupted when Kaspersky Lab uncovered a team of startlingly advanced hackers using tools linked to presumed-NSA operations. But unconfirmed suspicion of capability is not sufficiently credible to serve the broader purpose of deterrence. In short, the simple fact that the United States appears to be unwilling to deliver on its threats undercuts the very mechanism on which deterrence depends, irrespective of whether or not it does actually follow through on a threat.

Attribution

Cold War strategists could generally count on identifying the origin of an attack, but cyber strategists cannot, which is a real obstacle to a deterrence strategy. Economic, legal, cyber, and all other mechanisms for a response are rendered useless if the U.S. cannot identify the perpetrator (and sponsor) of an attack. Tools for attribution have gotten better. For example, Mandiant was able to convincingly attribute a series of attacks to a particular unit of the Chinese government, and U.S. penetration of North Korean networks provided attribution for the Sony attacks. But if a would-be attacker expects a reasonable chance of anonymity (or at least can make a good case for plausible deniability), then the United States is extremely limited in options for a response, which quickly undermines a deterrence strategy.

A Way Forward for American Cyber Deterrence?

True deterrence is intended to prevent an adversary from attempting a certain set of behaviors. In order to reliably influence the opponent’s decision making, the United States needs to be clear and credible as to what those behaviors are and what the response will be. Particularly in concert with other strategies, a clear and credible deterrence approach could be very useful when attribution is possible. But vague consequences and inconsistently enforced threats will undermine the strategy. Playing a metaphorical game of Russian roulette is not enough; there needs to be a bullet in each chamber for a deterrence strategy to work successfully. That level of clear communication and credibility comes with tradeoffs. It limits the range of responses available to the United States, it forces a potentially risky level of transparency in communicating future operations, it requires extensive technological expertise, and it will almost certainly impact the effectiveness of diplomatic approaches. The question left for policy makers is whether those risks are worthwhile.

Laura K. Bate is Assistant Director at the Center for the National Interest and a graduate of Georgetown University’s Security Studies Program. She writes on cyber policy, intelligence, and security issues.

No comments: