In this post, the advice offered looks at deterrence from a U.S. perspective, but applies in full measure to many other nations who find their critical infrastructure and companies under attack. This article first appeared in the Wall Street Journal’s CIO Journal, April 28, 2015.
We have reached a tipping point. The costs to our national and economic security are high and continue to grow higher. Whether from nation states intent on stealing military, political or economic secrets, attacking our critical infrastructures, pilfering corporate intellectual property and R&D or from criminals engaging in theft, fraud and other cybercrimes, the initiative continues to remain with the attacker. It’s time to engage in cyber deterrence through a strategy to dissuade, deter, and compel would-be attackers. Deterrence is the act of making someone decide not to do something; of preventing a particular behavior from occurring.
Evan Vucci/Associated Press
A view of the National Cybersecurity and Communications Integration Center in Arlington, Va.
Earlier this month, the Administration took definitive action by promulgating an Executive Order imposing sanctions against those who seek to undermine or hamper U.S. security through cyberattacks. And just last week, the Secretary of Defense announced the Pentagon’s updated Cyber Strategy including stronger language on offensive cyber operations. It also for the first time acknowledges the need to develop a comprehensive cyber deterrence strategy which Congress initially called for in the National Defense Authorization Act in 2014. This is a good beginning and must be a critical part of a deterrence strategy for which we must be prepared to wield all instruments of statecraft including political, diplomatic, economic, law enforcement and military capabilities. Let’s be clear: this is not about deterring or temporarily defeating technologies; it is about deterring actors beyond traditional military domains, both State and non-State alike as well as their proxies by carefully crafting our policies and calibrating our tools accordingly.
To do this, we must fashion a strategy that significantly raises the stakes for threat actors. We must make the cost so high and decrease their payoff so significantly that the advantages of cyber attack activity will be greatly reduced. We must deny the adversary their objective. Penalties as envisioned under a sanctions regime will certainly help; but the plain reality is that sanctions, especially if unilateral, will not deter those seeking to reap the benefits of robbing U.S. companies. Resilience must be a key part of our cyber deterrence, allowing those U.S. companies on the front lines the ability to apply threat information and conduct joint efforts, like several we have recently seen against botnets, with a cross section of private and government participants.
Of course, many instantly connect nuclear and cyber deterrence. But let’s recall that the nuclear club is relatively limited and requires a high level of scientific expertise and financial cost to maintain and deploy. For cyber, the bar to entry is relatively low; capabilities can be acquired, built and launched covertly. Moreover, cyber power includes non-state actors, difficult attribution, and a wider field of players.Equally important, we see the private sector and individual companies entities forced to defend against state actors. The private sector has adopted practices that could be part of a deterrent strategy. From botnet takedowns to joint activities with Europol, companies have begun the process of “taking the gloves off” and incrementally challenging cyber threat actors. There is a role to be played in cyber deterrence by nearly every public and private entity in the U.S. – a much broader domain than the nuclear one.
We must also contend with the inevitable gray lines between Computer Network Attack (CNA) and Computer Network Exploitation (CNE). In simplest terms, this is the issue of destructive behavior – whether computer network operations actually seek to destroy as opposed to obtaining information through nondestructive means. Our strategy must recognize that offensive cyber actions must be weighed carefully against our need to maintain an exploitative capability in networks. Our adversaries collect intelligence to provide a clear economic advantage to their commercial companies, such as stealing intellectual property. Our strategy must consider these intelligence threats as such activity results in an unfair playing field in the global marketplace for U.S. companies.
Following traditional deterrence policy, we need to signal to our adversaries through covert or other offensive actions that cyber actions will result in a response. We must signal our resolve and credibility. Of course, there will be concerns of a cyber escalation and of potential physical damage. That is why our responses need to be incisive, surgical and clear. This is not a game of “taking down” the adversary; it is demonstrating our capability and intention to dissuade them from further damage to our national security and economy. While we need unifying principles, the specific strategies must be tailored to key state and non-state actors; the strategy to deter Russia will not work for China or Iran or North Korea and certainly not for non-state actors such as criminal enterprises.
After many years of fledgling and unproductive efforts, we now have an opportunity to develop a broad cyber strategy including both sanctions and deterrence. We have an opportunity to bring relief to the private sector and bring credibility to our cyber policy. Yet success will ultimately depend on our commitment to act and translate the nouns into verbs. As Nathan Bailey put it: “Threats without power are like powder without the ball.”
By Frank J. Cilluffo, SDI Cyber Risk Practice, and Rhea D. Siers, Scholar-in-Residence at CCHS and Special Counsel at Zeichner, Ellman & Krause.
SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.
You can view previous blog posts on cyber risk management here.
April, 28 2015