14 August 2017

Cyber Deterrence Cannot Be One Size Fits All

JAMES N. MILLER

The fallout of major cyber attacks and espionage campaigns increasingly shapes interactions between nations. The vulnerability of the United States to such digital intrusions will only grow as the country becomes more dependent on networked technologies, particularly the Pentagon’s weapon systems. Mere network defense is not sufficient; the United States needs a strategy to deter its adversaries from conducting digital attacks with major national security implications. The Cipher Brief’s Levi Maxey spoke with James Miller, the former Under Secretary of Defense for Policy at the U.S. Department of Defense, who recently co-chaired a Defense Science Board report on how the Pentagon should approach cyber deterrence, about what the U.S. military’s strategy should look like.

The Cipher Brief: There has been a lot of focus lately on cyber deterrence, including from Sen. John McCain and the Senate Armed Services Committee. You recently co-chaired a Defense Science Board task force on the topic. Why all of this recent interest?

James Miller: Two big reasons: the world we face today, and the even more challenging world we face tomorrow.

First, the United States has been getting hit hard in cyberspace: Iran’s distributed denial of service attack on Wall Street in 2012-2013; North Korea’s cyber attack on Sony Pictures in 2014; Chinese cyber-enabled theft of intellectual property that occurred over at least the last dozen years; and of course, Russia’s hacking of the 2016 U.S. presidential election.

We need to do better. Although we certainly need to improve our cyber defenses, we are never going to succeed with a “defense only” strategy. Because the U.S. economy and our society are so dependent on information technology, there are practically infinite opportunities available to a capable cyber attacker. Cyber offense has a much easier job than defense; it can devote tons of resources to finding and exploiting a few vulnerabilities. And it only has to get it right once in order to succeed. The defender has to try to protect all of its critical IT systems but is stymied by the fact that perfect defense is just not possible.

So, reason one for the big focus on cyber deterrence is that we are getting hit hard today, and “defense only” won’t work. We need to change the decision calculus of our potential adversaries.

Second, the cyber problem is getting worse, not better, with time. The offensive cyber capabilities of our adversaries are growing rapidly, as they (like us) see the leverage cyber provides and invest more and more money and people into it. As a result, other countries have a significant and growing ability to hold U.S. critical infrastructure at risk via cyber attack – and to simultaneously use cyber to undermine U.S. military responses.

This double whammy – U.S. critical infrastructure and military systems, both increasingly vulnerable to debilitating attack – is putting the U.S. in an untenable strategic position, especially relative to Russia and China as they invest billions per year in offensive cyber capabilities.

So, reason two for the big focus on cyber deterrence is that as bad as our situation is today, if we don’t take major steps to improve it, we are going to be in far worse shape in the coming years.

TCB: What is deterrence more generally, and how is it accomplished?

Miller: Deterrence means convincing your adversary that the expected costs of attack (or of whatever action you are trying to deter) outweigh the expected benefits. So, deterrence is fundamentally about imposing costs and denying benefits.

We talk about deterring Russia or deterring North Korea, but the fact is that you don’t deter nations. Nations don’t make decisions. Nations’ leaders – and in some cases leadership groups like the Chinese Politburo – make decisions. So, if you want effective deterrence, you need to figure out what the other side’s leadership might want to do – for example, how it might see benefit in a cyber attack – and what they value, so you can figure out what to hold at risk to impose costs).

Deterrence is partly about capabilities, but at its core it is about affecting the perceptions of the other side’s senior leaders. If they think you live in a cyber glass house, they won’t believe you are going to be able to deny the benefits of their attack. If they think you don’t have both the will and the capability to respond by imposing serious costs if attacked, they will think they have a free hand.

TCB: How has deterrence been traditionally accomplished in areas like weapons of mass destruction or criminal activity? How does cyber deterrence fit or not in either of those models?

Miller: The basic principles of deterrence apply to all domains, including nuclear, criminal, and cyber. But there are huge differences between these three areas.

When people talk about nuclear deterrence, they are most often thinking about the U.S.-Russia strategic nuclear balance. Four key things about this domain. First, a deterrence failure would be catastrophic if not existential; a nuclear war between the U.S. and Russia could kill tens or hundreds of millions. Second, for decades, both sides have been stuck in a position of Mutual Assured Destruction, so deterrence by denial is a non-starter. Third, both sides have high confidence that they would be able to detect and attribute a nuclear attack by the other side. And fourth, strategic nuclear deterrence between the United States and Russia involves only two parties, who have studied each other for decades and who can tailor their deterrence posture specifically to the other side.

Contrast that with criminal deterrence. First, there are well over a million violent crimes – i.e., over a million deterrence failures – every year in the United States. While the outcome can be catastrophic or even existential for individuals, this is not so for the U.S. society and economy. Second, defenses ranging from locked doors to guarded banks and armored cars, to community police patrols, are essential. Third, attribution – figuring out whodunnit – is often a huge challenge. And fourth, the U.S. criminal deterrence posture applies to hundreds of millions of people (and many millions of potential criminals) in the United States; neither the denial of benefits or the imposition of costs can be tailored to specific individuals.

Cyber deterrence has some important similarities, and some big differences, to both nuclear deterrence and criminal deterrence.

First, as in the nuclear arena, catastrophic cyber attack is possible, and our deterrence strategy and posture need to focus heavily on such attacks. At the same time, the cyber attacks we’ve experienced to date and most of those we will try to deter in the future are serious but not catastrophic. So, a smart cyber deterrence posture needs to include very specific tailored plans to deter catastrophic cyber attack by countries, including Russia, China, North Korea, and Iran, and at the same time, it needs to include a broader plan to deter cyber attack by individuals and small groups – more analogous to deterring crime.

Second, as in the criminal arena, cyber defenses can’t be perfect, but they are fundamentally important to deterrence. We need to raise the cyber defenses of U.S. critical infrastructure in order to make it much, much harder to launch a catastrophic cyber attack. Terrorists and some other groups may not be deterred by the threat of retaliation, so deterrence by denial is absolutely critical. Moreover, while cyber hardening of U.S. critical infrastructure will never be good enough to prevent a Russia or a China from being able to threaten a major cyber attack, it can cause them to have to be “noisier” to do so, thereby boosting our confidence in attribution. Finally, somewhat similarly to the nuclear domain, where survivable second-strike military capabilities are central to deterrence, the U.S. must ensure that it has “cyber second-strike” capabilities that allow a wide range of military responses in the event of even a worst-case cyber attack in the future.

Third, attribution of cyber attacks can be very difficult, just as finding out “whodunnit” can be a big challenge in many criminal cases. At the same time, and similarly to the nuclear case, the United States devotes massive resources to human and technical intelligence collection of our potential adversaries, so that in many cases there may be good attribution – even as in the case of the 2016 Russian hack of the U.S. election, it may be challenging to share the underlying intelligence with the public.

Fourth and finally, just as in the nuclear domain, the United States needs detailed plans for responding to large-scale cyber attacks, and these plans need to be tailored to the leadership of key countries – particularly Russia, China, North Korea, and Iran. At the same time, just as in the criminal justice domain, the U.S. needs to have a broader cyber deterrence posture that aims to both deny benefits and if necessary, impose costs on a wide range of potential attackers.

TCB: What is tailored deterrence?

Miller: One size will not fit all in the cyber deterrence world. We need to tailor our deterrence posture in three key ways.

First, as noted previously, we need to tailor our deterrence posture to specific potential adversaries. We should focus in particular on Russia, China, North Korea, and Iran. (For ISIS, we should focus not on deterrence but on pre-emption and protection.)

Second, we need to tailor both what we aim to deter, and how we aim to deter it, to specific contexts. As we think about our four major potential cyber adversaries, we can distinguish four contexts: peacetime, gray zone conflict, crisis, and war. The lines between these contexts can be blurred, but we need to act on the understanding that while tools like diplomacy and economic sanctions may be effective in peacetime, we need higher-end capabilities to deter in crisis or war.

Third, we need to be prepared for escalation of a cyber conflict, or any conflict for that matter. That requires tailoring in a different sense, by reserving some cyber and non-cyber responses for higher rungs of the escalation ladder. In attempting to protect American lives and U.S. interests in a rapidly moving crisis or war, the national security community must be prepared to rapidly adjust its approach in order to provide the president with a range of viable options. This means having a cyber deterrence playbook, not a cookbook.

TCB: Can you give examples of how deterring Russian cyber activity might be different than deterring Iranian cyber activity?

Miller: All three factors I just talked about apply. Russian President Vladimir Putin and his leadership team have fundamentally different objectives – and vulnerabilities – than Iranian leaders including Supreme Leader Khamenei. That’s true in peacetime, and the differences between Russian and Iranian goals could be even more significant in crisis or conflict. And of course, while a war with Iran would be costly, especially for Iran, we need to account for the reality that with Russia, the top rung of the escalation ladder is nuclear Armageddon.

TCB: How important is defensive resilience for deterrence, particularly in our ability to confidently respond to aggressive cyber behavior?

Miller: Hugely important. Fundamentally important. But we are nowhere close.

It would be hugely in the strategic interests of the United States to have a highly resilient critical infrastructure. If this were the case, we could lean hard on deterrence by denial and deterrence by cost imposition or retaliation would be additive. Unfortunately, that is not the world in which we live. Nor are we likely to get there is the next decade.

TCB: Are U.S. weapons systems cyber-hardened enough to have confidence in their ability to have the effects we intend them to? How can we create resiliency within these systems for the future?

Miller: Today, unfortunately, the answer is no. On the other hand, the good news today is that even our most capable adversaries cannot have confidence that they can inhibit U.S. systems from working. Over the coming few years, unless we take significant actions, our confidence will decline and our adversaries’ confidence will increase.

So, we have a lot of work to do in order to ensure that U.S. adversaries understand that even if the face of a massive cyber attack, we will have the resilience to respond with offensive cyber, non-nuclear strike, and if necessary, as escalation occurs, with nuclear weapons. Providing future presidents confidence in the cyber resilience of all three of these response capabilities is one of the most important tasks of the Department of Defense over the next decade. It will take a systematic, sustained, and diverse approach so the adversary has to counter multiple techniques, not just one, in order to succeed.

TCB: Many cyber attacks do not reach the threshold of an act of war, diluting our ability to signal firm response frameworks for deterrence. How can a deterrence model accommodate that?

Miller: The U.S. should have policy that if we are attacked in cyberspace, we will respond. The question should not be whether, but how.

Following this policy, and responding to all attacks, has a risk of escalation. But not responding – or systematically responding weakly – guarantees a different kind of escalation, where our adversaries will continue to increase the number and severity of their cyber attacks.

No comments: