October 21, 2012

U.S. Cyber Experts: Deterrence Not Enough

The U.S. Defense Department’s new cyber defense mantra — deterrence — is poised to help prevent attacks easily attributable to nation-states.

The problem? Many attacks, and frequently the most sophisticated, don’t come immediately from nation-states. Instead, they come from groups that, while state-supported, provide plausible deniability for their benefactors, experts said.

Defense Secretary Leon Panetta announced a new policy approach Oct. 11, a more aggressive stance in which deterrence will be used to convince bad actors to stay their hands. Panetta claimed that the U.S. can now effectively find out who is behind attacks and has developed the offensive tools to take decisive, even pre-emptive, action.

But while experts applauded the efforts to make cybersecurity policy a more public debate, they questioned the broad applicability of a deterrence model.

“One theory of deterrence is not going to be applicable to the spectrum of potential bad actors in cyberspace,” said Roger Cressey, a senior vice president at Booz Allen Hamilton.

However, Cressey said deterrence can be useful. “Where people go off the rails is they say, ‘Well, deterrence is not going to work in every scenario, and therefore it’s worthless,’ ” he said. “No. Deterrence will work in some scenarios at the nation-state level.”

The problem with broader deterrence lies largely in the plausibility of a U.S. response. When a nation-state attacks in a way in which attribution is obvious, it creates a scenario not dissimilar to a kinetic attack on the U.S. International law already has well-worn guidelines on how states can respond to an attack against its citizens or military, depending on the cyber aggressor’s target. DoD has made it clear that it won’t hesitate to use kinetic weapons to respond to such an obvious attack.

But many of the most dangerous threats stem from quasi-state organizations, where offices might be in privately held facilities staffed by cyber experts outside of any military installation, but whose funding comes from nation-states.

Even if the attribution problem has largely been solved, and DoD can determine that such an office is behind an attack, potential responses are limited. Is the U.S. willing to strike against what are ostensibly private citizens? Although the U.S. has taken action against terrorists, strikes have occurred in largely lawless areas, and not, for instance, in the heart of China, where many cyber attacks originate.

“The challenge for policymakers is that if it’s a nation-state activity, there’s a playbook for that,” Cressey said. “If it’s state-supported, what’s the response against that?”

One of the larger problems with attempting to deter these groups is the financial ramifications, said Jeff Moulton, a researcher at the Georgia Tech Research Institute.

“Deterrence as we witnessed in the kinetic world results in an ‘arms race’ of sorts,” Moulton said. “We build 10 nuclear missiles, they build 15, we build more, they respond in kind. And it goes on. I’m not convinced this was the proper strategy. One could argue that we out-spent the Soviet Union and forced them into bankruptcy; however, the cyber world is different. There are rogue actors all over the world, and I doubt we have the fiscal resources, not to mention the technical talent, to employ this approach.”

And even the demonstration of force before its use, a technique employed in the past, might not work in cyber, Moulton said.

“If a rogue nation-state ‘misbehaves,’ we often deploy a carrier group to the area as a ‘show of force’ to deter further unacceptable behavior,” he said. “How do you do that in the digital world? A series of ‘pings’ on their industrial control systems, perhaps a limited [distributed denial-of-service] attack? Will it have the same effect?”

Further complicating a deterrence model is that most attacks focus on espionage as opposed to destruction. During the Cold War, espionage was seen as outside of the larger arms buildup and not viewed as an aggressive act, allowing both Soviet and American actors to freely spy. Whether the U.S. will apply those looser standards to cyber is unclear.

“The whole question of deterrence in cyber really doesn’t apply to espionage,” said Irving Lachow, a fellow at the Center for a New American Security. “Every nation is spying. The only question is, who’s spying better?”

These concerns only exacerbate some of the larger policy issues DoD faces when it comes to cyber. International law on conflict was written long before cyber capabilities were conceived, the agency is still struggling to write new rules of engagement for cyber, and current policies for training the force may be inadequate to generate a sufficient pool of experts. Possibly more important, DoD hasn’t publicly used an offensive weapon, making its deterrence stance less plausible.

Technical issues also loom, as experts expressed doubts about the department’s claim of being able to pinpoint the source of an attack or to quickly deploy precision cyber weapons, given that White House authorization is still needed for any strike.

But the larger suggestion, that the U.S. will act, is important and can work even if the aggressive stance doesn’t deter bad actors, Cressey said.

“In counterterrorism, the question is, if you kill a terrorist, does that deter others?” he said. “The answer is no, but so what? The point is that you’re eliminating operational command-and-control capabilities by killing the terrorist. In cyberspace, does it deter? Maybe, maybe not. But if you’re able to take action to eliminate the bad entity’s ability to conduct operations, that’s OK, too.”