12 December 2018

Are more offensive cyber operations actually a deterrent?

Justin Lynch 

“It is hard to measure if deterrence is working or failing,” said Jason Healey, a former Bush administration White House official and senior research scholar at Columbia University.

Days before the midterm elections, one of the Pentagon’s top cyber official was asked if there was any metric that could be used to judge the success of the Trump administration’s new cyber policy, one which promises more aggressive offensive operations.

Burke Wilson, the deputy assistant secretary of defense for cyber, policy pointed to election security efforts the Department of Defense had ongoing at the time. “We will conduct an after-action review on all of the operations that we are conducting,” he told reporters Oct. 30.

Judgement day is coming soon.

Director of National Intelligence Dan Coats is required to submit an after-action report of foreign election meddling in the midterm elections by Dec. 21. Yet information about foreign election meddling continues to drip out. The Republican House Congressional campaign arm was hacked during the midterm elections, a fact that was first reported by Politico. And after the 2016 presidential campaign, former White House and intelligence officials told Fifth Domain it took nearly a year to get a clear understanding of Russian election meddling.

But experts point to a larger problem when it comes to measuring the success of the new policy.

“It is hard to measure if deterrence is working or failing,” said Jason Healey, a former Bush administration White House official and senior research scholar at Columbia University.

It is not possible in most cases to prove that deterrence is causing an effect, Healey said during a November presentation at Cyber War Con. For example, he cited the fact that whether nuclear deterrence played a strong role in the Cold War is still debated.

But while proof of the policy’s success is hard to come by, a lesser degree of certainty is possible, Healey said.

Statements by foreign leaders, cyber activity attributed to known hackers and data on incoming cyberattacks could be useful metrics to assess overall trend lines, which could give clues to a policy’s success or failure.

The new White House and Pentagon cyber strategies promise more offensive operations through “persistent engagement” and a mentality to “defend forward.”

“The side effects of the strategy of ‘persistent engagement’ and ‘defend forward’ are still ill-understood,” Max Smeets and Herb Lin, scholars at Stanford University wrote for Lawfare. “A United States that is more powerful in cyberspace does not necessarily mean one that is more stable or secure.”

No comments: