The U.S. Cyber Glass House and Deterrence

“I’d say our [cyber] defense isn’t working” – Former Director of the National Security Agency Keith Alexander.

In a keynote address at the American Enterprise Institute, Alexander told the audience that “if everybody’s getting hacked … industry and government … the strategy that we’re working on is flawed.” Critical infrastructure is vulnerable to cyberattacks and several nation states have developed the necessary cyber arsenal to strike critical infrastructure.  Yet, our cyber defense isn’t working.  This is not the first time nations have developed weapons that break through defense systems.  The nuclear terror of the Cold War presented a similar complication.

In cyber defense, can Cold War-style deterrence work? Relying primarily on the words of Keith Alexander, Eric Rosenbach (principal cyber advisor to the Secretary of Defense), and Scott Jasper (retired Navy captain and lecturer at the Naval Postgraduate School),  Mark Pomerleau examines this question in an article for DefenseSystems.com.

Pomerleau first sets out Jasper’s definition for deterrence, breaking it down into potentially three components: deterrence by punishment (the threat of retaliation), deterrence by denial (the ability to prevent benefit), and deterrence by entanglement (mutual interests). According to Rosenbach, a cyber deterrence policy would require a “whole-of-government” approach, in which the Department of Defense would need to:

(1) develop the capabilities to deny a potential attack from achieving its desired effect

(2) increase the cost of executing a cyberattacks . . . DOD must be able to provide the president with options to respond to cyberattacks on the U.S., if required through cyber and other means,

(3) ensure that we are resilient, so if there is an attack that we can bounce back.

However, Pomerleau goes on to describe a number of issues in the cyber realm that differentiate the cyber defense situation from the Cold War nuclear defense situation.  First of all, attribution is difficult in the cyber realm due to the ability of adversaries to re-route the source to a different location providing plausible deniability.  Second, deterrence will not be as effective with the numerous criminal non-state actors involved in cyber attacks.  Finally, traditional nuclear deterrence relies on an adversary having knowledge of the destruction that will result if they make a move, whereas in the cyber realm the effectiveness of a cyber threat depends in part on the secrecy of weapons.

While Pomerleau also describes potential solutions, they are couched in vague terminology, providing little reassurance. For instance, Rosenbach addresses the attribution problem by suggesting that the government reduce anonymity in cyberspace, without providing any information as to how the government would be able to accomplish that objective.  Pomerleau also stresses the importance of international frameworks, a view shared by most, but despite numerous international conferences the vulnerabilities in cyberspace are still on the rise.

After finishing Pomerleau’s article, I pulled out a book of essays on cyber deterrence compiled by the National Research Council of the National Academies*. In one of the essays** in the book, Stephen J. Lukasik compared the nuclear deterrence policy to deterrence issues in the cyber realm.  While Lukasik described many of the same issues in Pomerleau’s article, he noted the three aspects of deterrence that remain invariant:

(1) A defender’s response must be seen as technically feasible.  In the nuclear case, very visible weapon tests and well publicized images of nuclear detonations and measured global radioactive fallout provided convincing demonstrations of feasibility.

(2) [T]he defender must be seen as credible, willing as well as able to respond.  U.S. nuclear weapon use in WWII established that, and equivalent Soviet nuclear capabilities left little doubt what its respond to a nuclear attack would be.

(3) [D]efense through deterrence requires being able to respond, with in-being offensive capability. While response to a cyber attack need not be a cyber counter-attack, international principles of armed conflict speak to proportionality of response and escalation control favors responding in kind.  Thus cyber offense is a component of cyber deterrence.

I agree with Lukasik that feasibility, credibility, and ability are the cornerstones to a successful deterrence policy, but can this work in cyber defense? It seems like all three of those objectives suggest some sort of a demonstration to the world that it is feasible, we are able to strike, and our threats should be taken seriously.

While Lukasik argues that the response to a cyber attack should be limited to cyber offense, Rosenbach is cited in Pomerleau’s article advocating for a response policy that uses all the tools of foreign policy and military options.

This is a global issue, and everyone will be watching what policy the United States ultimately follows to fix the flaws in their cyber defense.  If we continue to limit offensive actions, we limit deterrence by punishment.  On the other hand, if we are too aggressive, we could open the door to more attacks.  I agree with Rosenbach:

“The U.S. is a glass house when it comes to cyber.”

 

To read the full DefenseSystems.com article by Mark Pomerleau, click here.

*Proceedings of a Workshop on Deterring Cyberattacks – Informing Strategies and Developing Options for U.S. Policy, compiled by the National Research Council of the National Academies

**A Framework for Thinking About Cyber Conflict and Cyber Deterrence with Possible Declaratory Policies for These Domains, by Stephen J. Lukasik

Please follow and like us:

Tags: , , , ,

Leave a Reply

You must be logged in to post a comment.

Authors

Untitled Document
Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.

Ryan D. White

Ryan D. WhiteRyan is currently a third year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic. Full biography

Shelby E. Mann

Ryan D. WhiteShelby is a second year law student at the Syracuse University College of Law. She is the 2018-9 Editor in Chief of the Syracuse Law Review, as well as a member of the Journal on Terrorism and Security Analysis, and the senior editor for the Syrian Accountability Project. During her final year at the University of Missouri, she served as a full-time news producer for ABC 17 News. Shelby spent her first summer of law school at the Shelby County District Attorney General's Office in Memphis, Tenn., in the Public Corruption and Economic Crimes Unit. Full biography

Christopher w. FolkChristopher W. Folk

is a 2017 graduate of SU College of Law. A non-traditional student, Christopher returned to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering. Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law. Full biography

Anna Maria Castillo

Anna Maria Castillois 2016 graduate of Syracuse College of Law. She also holds a Master of Arts in International Relations from Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She served as an executive editor in the Syracuse Law Review. Full biography

Jennifer A. CamilloJennifer A. Camillo

is a 2015 graduate of Syracuse College of Law and is a prosecutor. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She was a member of the Syracuse National Trial Team and was awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. PistoreseTara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She wrote for this blog when a student. She is now a member of the U.S. Army Judge Advocate General's Corps.

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography

Categories

RSS
Follow by Email
Facebook
LinkedIn