The Pentagon’s new strategy for cyberoperations Defense Secretary Ashton Carter unveiled last week in Silicon Valley is a strong sign the US is shedding its defense-only paradigm for cybersecurity policy.
The US has long focused on strengthening online defenses to reduce vulnerability to attack, but recently, there's been a stronger push by policymakers to find new ways to deter attacks before they happen. The goal of threat deterrence is to raise the costs of, and reduce the benefits from, cyberattacks and cyberespionage so that it no longer pays. The new strategy reflects the growing understanding at the highest levels of the US government that there is value in a hybrid model of cybersecurity based not only on defense but also on finding ways to be proactive.
According to the updated Pentagon approach, the Department of Defense has several roles to play in this. First, the strategy calls for the department to strengthen “deterrence by denial.” Specifically, the strategy calls on both DOD and the private sector, which owns and operates more than 90 percent of cyberspace infrastructure, to protect their networks. Although this message is couched in the now-popular government buzzword of deterrence, this is simply a call for more defense, which is nothing new.
The strategy also calls for the DOD to adopt effective resilience and redundancy measures. Although the strategy does not specify what it means by this, resilience can be enhanced through a variety of capabilities, including integrity and segmentation. Integrity capabilities allow a potentially infected network to be reset to an earlier and uninfected state. Segmentation walls off certain parts of the network from others in order to help isolate sources of infection.
Whether adopted by the Defense Department, critical infrastructure owners, or the private sector more generally, the strategy notes that such measures contribute to cyberdeterrence by helping to “convince potential adversaries of the futility of commencing cyberattacks on US networks and systems."
Resiliency can mitigate the consequences of a successful attack. But fortifying networks is more easily said than done, and the Pentagon strategy is short on details as to how the department will achieve this goal, let alone how critical infrastructure owners and the private sector more broadly will do so, as is necessary if resilience is effectively to deter cyber adversaries.
The most striking aspect of the strategy, however, is that it portrays DOD’s offensive capabilities as essential to deter adversaries from initiating cyberattacks attacks on the US. This approach dovetails with National Security Agency Director Adm. Mike Rogers’s recent congressional testimony. In that testimony, Admiral Rogers, who also heads US Cyber Command, took the position that effective deterrence requires the US to increase its cyberoffensive capabilities.
The implication of the NSA chief's testimony and the DOD strategy is that offensive capabilities are necessary because the existing US approach to cyberdeterrence is, by itself, insufficient to deter cyberattacks. But such a conclusion may be premature. It is only recently that the US began to view threat deterrence as an integral part of its cybersecurity strategy, and even more recently – only in the last year or so – that deterrence appears to have motivated government action (as opposed to diplomacy) in response to cyberattacks and cyberespionage.
Even in that short time frame, there has been considerable progress on the threat deterrence front, with the government taking several high-profile steps to punish malicious cyberintruders.
First, less than a year ago, the Department of Justice issued a groundbreaking public indictment of five Chinese military officers for economic espionage against several large US companies including Westinghouse Electric and U.S. Steel. This first-of-its-kind indictment identified five individual Chinese People’s Liberation Army officers involved in cyberespionage and detailed their activities. In doing so, the US ramped up the political and diplomatic costs to China and others engaged in like activities in an effort to deter them from such behavior.
Second, just a few months ago, the government invoked sanctions in response to the Sony hack. After the US government publicly attributed the hack to the North Korean government, President Obama signed an executive order pursuant to which the Treasury Department imposed targeted sanctions on specified North Korean government agencies and officials. This marked the first time that Washington invoked sanctions in response to a nation-state sponsored cyber attack.
The sanctions – unlikely to have a significant effect on North Korea due to its limited commercial interaction with the US – clearly were designed to send a signal to other would-be cyber threat actors that such intrusions are not without cost. As Treasury Secretary Jack Lew said at the time, “These steps underscore that we will employ a broad set of tools to defend US businesses and citizens and to respond to attempts to undermine our values or threaten the national security of the United States.”
Third, just last month, President Obama issued an executive order establishing a sanctions program for those conducting cyberattacks modeled on US counterterrorism and nonproliferation sanctions programs. The program is designed to penalize those who engage in destructive cyberattacks against critical infrastructure and/or commercial cyber espionage by freezing their assets, among other things.
Drawing conclusions at this time regarding the effectiveness of America's nascent cyberdeterrence efforts is premature. Not enough time has passed for even the limited actions described above to have taken full effect, and it seems reasonable to assume that when more such actions have been taken, the impact on cyberadversaries will be greater.
Moreover, there are avenues for government action that have not yet been tapped; for example, the possibility of game-changing legislation in this area should not be ruled out. Over the past few years, a number of bills designed to deter cyberthreat actors have been introduced in Congress, including legislation that would allow corporate victims of cyberespionage to recover damages from such intrusions.
As it is too early to know whether the government’s still-developing deterrence strategy is working, it is premature to deem offensive cyberoperations a necessity for purposes of deterrence. Given the potential downsides of DOD engaging in offensive cyberactivity – e.g., the possibility of damaging diplomatic relations or causing unintended harm – a sensible approach may be to hold off on such activity for purposes of threat deterrence while exploring the effectiveness of other, more modest, avenues for relief from cyberthreats, such as diplomacy, law enforcement, governmental sanctions, and civil remedies.
Regardless of whether the DOD engages in offensive cyberactivity for purposes of threat deterrence, the new DOD strategy reflects the growing consensus that cyberattacks must not go unpunished; that a heavy cost for such activities must be imposed; and that DOD can play an important role in the development and implementation of a comprehensive and effective US cybersecurity strategy based in part on threat deterrence.