Stories‎ > ‎

United States Cyber Deterrence Policy?

posted May 28, 2016, 4:37 AM by Michael Lenart   [ updated Oct 10, 2016, 6:00 AM ]

Michael Lenart 

Introduction

The notion of cyber deterrence has usually been met with skepticism. The classic argument against deterrence in the cyber domain lies in the difficulty of attribution: An adversary can conduct an attack in such a way that it’s extremely difficult- and often impossible- to know who conducted it. Hence the attacker knows he can’t be identified, which makes him confident he can’t be retaliated against. This makes it impossible to deter him, since he knows he can attack with impunity.

Yet there exists a fairly sizable literature on the topic of cyber deterrence. Moreover, the U.S. Congress believes it’s possible, as evidenced by its mandate in the 2014 National Defense Authorization Act that the Obama Administration produce a cyber deterrence policy. The administration eventually complied, very quietly submitting a deterrence policy report to Congress in December 2015- about a year later than expected. [1] In fact, it's uncertain whether the administration truly considers the report its official policy, given the complete lack of fanfare accompanying it. This very timid release seems to match the document’s content and tone, which aren’t especially ambitious.  Nevertheless, it’s a fairly thoughtful document in some ways, and it adds to the discussion on an important topic. This article will review some of the report’s major elements.

Scope and Strategy

First, recognizing that not all malicious cyber activity can be addressed, the policy report scopes what the administration intends to deter. This includes:

“…cyber threats that threaten loss of life via the disruption of critical infrastructures and the essential services they provide; or that disrupt or undermine the confidence in or trustworthiness of systems that support critical functions, including military command and control and the orderly operation of financial markets or that pose national-level threats to core values like privacy and freedom of expression...”

In simple terms, the policy focuses on deterring malicious activity that has strategic-level consequences.                                                                                                                                                                                                                

The policy seeks to deter in two broad ways: deterrence by denial and deterrence through cost imposition. Deterrence by denial aims “to persuade adversaries that the United States can thwart malicious cyber activity, thereby reducing the incentive to conduct such activities.” Deterrence through cost imposition is “designed to both threaten and carry out actions to inflict penalties and costs against adversaries that choose to conduct cyber attacks or other malicious cyber activity against the United States.”

In short, the U.S. aims to demonstrate that attackers’ likelihood of success is relatively low (deterrence by denial), and that even if they do succeed, they’ll face painful consequences for it (deterrence by cost imposition). In addition, the policy outlines a few “Activities that Support Deterrence,” which this article will briefly discuss as well.


Deterrence by Denial

Deterrence by denial occurs through what one may call five lines of effort:


  1. Identifying and Protecting Key Critical Infrastructure  

  2. Sharing Threat Information

  3. Promoting Best Practices through the Cybersecurity Framework

  4. Defending Against Insider Threats

  5. Bolstering Government Network Defenses

As explained in the report, Executive Order 13636 set the ball in motion on the first line of effort, Identifying and Protecting Key Critical Infrastructure, by directing the Secretary of Homeland Security to “identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects.” The purpose of this was to prioritize the specific pieces of infrastructure (financial exchanges, electric grids, water processing plants, transportation facilities, etc.) the government most needs to protect. This prioritization supports the deterrence policy’s scope: Focus on deterring malicious activity that has strategic-level consequences.

Sharing threat information among major stakeholders also supports deterrence by denial, as it “provides network defenders the opportunity to close known vulnerabilities before they can be fully exploited.” This sharing occurs across the                                                                         

federal government, vertically among different levels of government, and perhaps                     

most importantly with private sector groups, who own and operate the majority of 

key infrastructure.

 

The deterrence policy report also explains that Executive Order 13636 directed the National Institute of Standards and Technology to “lead a process to develop a template of cybersecurity best practices.” The first such template was released in early 2014 and is referred to as the Cybersecurity Framework. The Cybersecurity Framework offers organizations a way to raise their “overall cybersecurity baseline” by providing “globally recognized standards and practices to help [them] understand, communicate, and manage their cyber risks.” Put another way, it provides organizations an overarching construct that captures the major elements of a cybersecurity plan.

 

Sadly, cybersecurity threats aren’t wholly external to an organization. Insider threats can be terribly damaging as well. Consequently, the government established three interagency entities “to ensure responsible sharing and safeguarding of classified information”. These include the Senior Information Sharing and Safeguarding Steering Committee (the Steering Committee), the Executive Agent for Safeguarding, and the National Insider Threat Task Force (NITTF). Respectively, these bodies ensure senior-level accountability for safeguarding of classified information on computer networks; develop technical safeguards for classified information on national security systems; and manage “a government-wide insider threat program for deterring, detecting, and mitigating insider threats.”

   

The last line of effort in deterrence by denial, Bolstering Government Network Defenses, consists of a fairly wide-ranging series of defense and resiliency efforts. The first of these is the Cybersecurity Cross-Agency Priority goal, which is one of 15 presidential priorities requiring extensive interagency cooperation. Through the Cross-Agency Priority goal, the government establishes expected cybersecurity outcomes among departments and agencies, and holds them accountable for those outcomes.

The deterrence policy specifically highlights DoD’s role in Bolstering Government Network Defenses. It describes how U.S. Cyber Command, the Service Cyber Components, NSA, and the Defense Information Systems Agency monitor DoD networks and provide regular “threat and vulnerability information to the operators of those networks.” Furthermore, the policy explains how DoD’s construction of the Joint Information Environment “will provide secure Internet communications and intelligence through the use of a shared infrastructure, enterprise services, and a single security architecture.”

 

Even confident defenders must prepare for successful adversary attacks, however. This requires that operators ensure the resiliency of their networks, systems, and data. In other words, networks must be able to operate during or at least soon after attacks.

Once again, the relation of these five lines of effort to deterrence is that if executed successfully, they will theoretically make adversaries skeptical about the success of would-be attacks. This in turn makes adversaries less likely to spend the time and resources necessary to attack in the first place.

 


Deterrence by Cost Imposition

In a recent Council on Foreign Relations Net Politics article, Adam Segal comments on the recent guilty plea of a Chinese hacker in a U.S. court by saying, “Washington appears intent on trying to strengthen deterrence in cyberspace—to convince potential adversaries that the United States can over time attribute attacks and that there will be consequences for cyberattacks.” [2]

The deterrence policy document itself paints a less optimistic picture, but it still teases at the idea of legitimate attribution capabilities: “While the United States’ ability to attribute a cyber attack to a specific actor through long-term analysis has improved dramatically in recent years, allowing for malicious actors to be held responsible for their actions,                                                            

high-confidence attribution in real-time remains difficult.”

 

Either way, attribution is the foundation of deterrence by cost imposition. Without attribution, there is no target upon whom to impose the “cost.” Moreover, as attribution capabilities improve, as they likely will, the following options for imposing costs on attackers will become increasingly feasible:

  1. Imposing economic costs

  2. Pursuing appropriate law enforcement actions

  3. Developing military options to defend the nation in cyberspace

Economic costs are imposed primarily through financial and trade sanctions. The thinking goes that if you can tie up the attacker’s money, refuse to buy his exports, and/or refuse to sell him goods and services upon which he relies, you can affect his cost-benefit analysis in deciding whether to attack you. This is a classic tool of statecraft applied to a cyber context.
 

Pursuing appropriate law enforcement actions has two major parts: investigating, prosecuting, and disrupting malicious cyber activity; and building international capacity to combat cybercrime. Investigating and prosecuting malicious cyber activity is more or less standard law enforcement applied to an international cyber context. Examples include the case of the guilty-plea Chinese hacker mentioned above, the indictment of five Chinese military hackers in 2014, and the recent indictment of seven state-sponsored Iranian hackers for attacks on U.S. banks and reconnaissance of the Bowman Avenue dam in New York. The policy also includes disruption of malicious activity while it is still going on, such as when a law enforcement organization takes down a botnet.

 

The second part of pursuing appropriate law enforcement actions, building international capacity to combat cybercrime, is an acknowledgement that the U.S. cannot police cyberspace alone. Therefore, the U.S. leads many training programs to help foreign partners develop the ability to investigate, prosecute, and disrupt cybercrime. These programs are based on the Budapest Convention on Cybercrime, the structure of which includes three main elements: “(1) ensuring law enforcement agencies have the authorities and tools to investigate cybercrime… (2) enacting substantive cybercrime laws; and (3) using mechanisms like the 24/7 Network on High Tech Crime” to facilitate prompt international law enforcement cooperation.

 

The perhaps most exciting (and definitely most risky) means of cost imposition is developing military options to defend the nation in cyberspace. The policy doesn’t explicitly spell out the kind of red-meat military options that some national defense hawks may advocate, but it hints at them. It mentions the formation of U.S. Cyber Command and the use, when necessary, of offensive cyberspace operations. It further notes that responding to a cyber attack may occur in other domains. For instance, the U.S. may choose to conduct an air strike against a command and control node within the cyber attacker’s country. The policy takes pains, however, to state that the U.S. prefers to use network defense, law enforcement, economic actions, and diplomacy over military options. It further tamps down on aggressive impulses by stating that when a military response is necessary, the “symmetrical response” of a cyber attack “can be narrowly tailored to target the precise system or systems that are perpetrating an attack against the United States.” Thus the policy goes out of its way to assert that the U.S. seeks to minimize the damage it causes in responding to cyber attacks.

 

Activities that Support Deterrence

The last major section of the policy describes activities that support deterrence. It reads something like a grab bag of additional topics related to cyber deterrence and cyber issues in general. The section includes: using a whole-of government and whole-of-nation approach; strategic communications; developing relevant intelligence capabilities; bolstering international engagement; and conducting targeted research and development. The most pivotal in terms of supporting deterrence are strategic communications and developing relevant intelligence capabilities.
                                                                                    

Strategic communications in this context are very important. The policy notes that “signaling” is key to successful deterrence, as it ensures that would-be attackers know which activities are unacceptable, and that these activities will be forcefully answered. The administration caveats this, however, by stating that the U.S. will remain ambiguous regarding the kinds of attacks that will provoke a response, and what kind of response the U.S. will employ when attacked. This is to ensure that adversaries don’t continually conduct attacks just under the U.S.’s declared threshold.  Strategic communications also support deterrence when the U.S. publicizes particular crimes and criminal trials, such as with the aforementioned Chinese military and Iranian state-sponsored hackers. This “naming and shaming” is especially important in cases such as these, in which the defendants aren’t actually present in the U.S. to be tried. Thus the publicizing of the crime is the primary purpose of the indictment.
Intelligence capabilities are also important for deterrence. This is because, though the policy doesn’t explicitly mention attribution, it does refer to how improved intelligence capabilities and the relatively young Cyber Threat Intelligence Integration Center can better “connect the dots” on cyber incidents and support agencies’ efforts to “investigate” attacks. This is attribution using other terms and, as discussed, attribution is the key to deterrence by cost imposition.

Observations

Below are a few brief observations on the deterrence policy. The reader will no doubt have additional observations.

 

1. The relative obscurity of the policy document, which one could argue covers a very important, even vital subject, indicates that the Obama Administration may lack confidence in the policy or in the concept of cyber deterrence itself. It is also possible that developing the policy, though important, was simply eclipsed by what the administration considered greater priorities. Lastly, one must remember that the requirement originated in legislation written by a Republican-controlled Congress. Consequently, the administration may have considered the requirement unnecessary or inadvisable, but not worth a veto fight. Thus, the administration may have chosen to simply “check the block” with a merely adequate product. For an opposition party response to the policy, see the article at End Note [3].

 

2. A caution about "narrowly tailored" operations such as the “symmetrical” cyber responses the policy highlights: They can be too surgical and assume an unrealistically simple and knowable adversary who seems easier to control than he actually is. Elegant solutions are rarely effective in statecraft, which is why air strikes and sanctions have almost always failed to live up to the hopes of their most strident advocates. On the other hand, a multi-faceted response (a combination of cyber attacks, sanctions, naming and shaming, etc.) is more likely to have truly significant effects on one’s adversary. For instance, however one feels about the 2015 Iranian nuclear agreement, the combination of Stuxnet, sanctions, diplomatic isolation, and the plausible threat of force did more to bring the Iranians to the table than Stuxnet alone would have.

 

Of course, the type of measured symmetrical response the policy espouses does better to avoid escalation, which is almost always an admirable instinct. However, deterrence is easily as much about the bluff as it is about real reactions to actual attacks: So when a would-be “deterrer” emphasizes ahead of time that he wishes to minimize the damage he causes, he undermines his deterrence efforts by signaling that his response won’t hurt the attacker that much after all.

3. With regard to deterrence by cost imposition, MCPA Advisor and world-renowned cyber guru Jason Healey believes the U.S. Government went too far when it indicted Iranian hackers for gaining access to, but not attempting to damage, New York's Bowman Avenue Dam. He essentially states that this was commonly accepted intelligence work, and indicting those responsible for it potentially puts American cyber personnel in danger of being indicted in foreign courts. [4] 

4. The policy rightly explains that strategic communications support deterrence. However, the section on strategic communications emphasizes signaling how the U.S. will identify and respond to malicious activity, i.e., how strategic communications support deterrence by cost imposition specifically. Nowhere does this section mention efforts to communicate U.S. defensive capabilities. In other words, strategic communications do not support deterrence by denial. Now, one may understandably be skeptical about how well cyber defensive capabilities can deter a determined, capable attacker, but since the policy treats deterrence by denial as legitimate, it should grant that publicizing one’s supposedly effective defensive capabilities can deter most or at least some attackers.

 

Conclusion

 

The notion of cyber deterrence is controversial. Nonetheless, it is probably achievable against certain actors under certain circumstances, or at least will become so as attribution capabilities improve. Thus the quietly submitted U.S. deterrence policy report is a document worth reviewing. It addresses a fairly wide range of cyber policy and defense issues. And from a broader, more strategic perspective, scrutinizing the policy’s content, assumptions, and assertions provides a refresher on what deterrence is, how it is achieved, and what its limitations are.

 



Michael Lenart is the Editor-in-Chief of Cyber magazine and an Army Strategist. His areas of interest include national security, cyberspace operations, and organizational change.

  

 

 




End Notes

[1] Scott Maucione, Federal News Radio

http://1yxsm73j7aop3quc9y5ifaw3.wpengine.netdna-cdn.com/wp-content/uploads/2015/12/Report-on-Cyber-Deterrence-Policy-Final.pdf

[2] Adam Segal, Net Politics

http://blogs.cfr.org/cyber/2016/03/24/chinese-national-pleads-guilty-to-hacking/

[3] Andrew Blake, Washington Times 

http://www.washingtontimes.com/news/2016/jan/15/john-mccain-says-white-houses-cyber-deterrence-pol/

[4] Jason Healey, Cyber

http://magazine.milcyber.org/stories/healeyuntweeted


Photo Credits (in order of appearance)

securityaffairs.co, tvtropes.org, Melissa Patterson, latimes.com