Last week, together with the U.S. Chamber of Commerce, we co-hosted an event that focused on cyber deterrence and international norms in cyber space. Initial presentations were made by the Chamber’s Anne Beauchesne, General Michael Hayden and SDI’s Frank Cilluffo and General Rhett Hernandez. Some very bright minds from business and academia, and experts who have had significant responsibility in formulating U.S. policy on cybersecurity, exchanged views on many of the most pressing issues that relate to using deterrence as a key tool in defending against cyber attacks. It’s doubtful anyone who participated came away from the conversation thinking anything but this is really challenging for government and business alike.
The event certainly was timely. On April 1 the President issued an executive order authorizing sanctions on “malicious cyber actors whose actions threaten the national security, foreign policy, or economic health or financial stability of the United States.” For many businesses, the prospect of using sanctions as a tool against cyber malactors is a welcome development, particularly if attribution is becoming more certain than historically has been the case. But even here there remains debate over what actions are clearly sanctionable, and concern over how universal the agreement of what is sanctionable, and what deterrent actions are acceptable will become. Companies, understandably, would prefer global alignment on these issues, rather than having to follow different policies in every country in which they do business.
For a deterrence policy to be effective there has to be a credible threat of consequences. Inevitably, that means that once lines are established, if they are crossed, there must be retaliation. We must demonstrate both the means and the will to act in a way that will deter future aggression. However, for businesses there is the uneasy belief that retaliation can provoke further attacks, and abiding concern over how much information a business that has been attacked will have to share, and with whom, to make the case for retaliation.
Fundamentally, despite the amount of attention being paid to deterrence, we are in the very early stages of sorting through the issues. We lack agreement on basic vocabulary that would establish a common understanding upon which to build. What constitutes a “cyber attack?” What actions are acceptable as part of active response? What actions might constitute illegal use of force, potentially violating international law? Although governmental bodies around the world are grappling with these issues, progress has been extremely slow. Corporations such as Microsoft are advancing their own views on acceptable behavior (“International Cybersecurity Norms, Reducing Conflict in an Internet-dependent World”). In the end, it may be that multinational companies will be the most significant influence on developing international norms.
By Tom Davis, SDI Cyber Risk Practice
SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.
You can view previous blog posts on cyber risk management here.
April 7, 2015