Admiral Mike Rogers, the head of CyberCommand, told the Senate Armed Services Committee recently that we need to “think about how can we increase our capacity on the offensive side.” He was responding to Senator McCain and other members of the committee who were pushing for CyberCommand to put a greater emphasis than it has on offensive measures. Their reason for that emphasis? To deter attacks like those we have seen in the headlines, especially the attack on Sony.
That is the wrong message, given at the wrong time for the wrong reason.
There is no doubt that the United States needs a strong capability to launch cyber-attacks. They may, indeed, help deter some attacks by some adversaries. But other reasons are more essential to national security.
First, the cyber domain is an increasingly important part of the modern battlefield, much as air power became increasingly important in war during the first half of the last century. The military cannot ignore it, particularly as militaries other than our own are becoming both more capable and more reliant on this new technology. Our military must be prepared to take the cyber battle to the enemy, to project power through the cyber domain.
Second, cyber-attacks give policymakers an alternative means for pursuing policy objectives short of war. Economic sanctions are one set of several sets of tools that can be used to promote the ends that policymakers seek. Stuxnet showed how valuable an offensive cyber tool could be in this context. The Israelis were pushing for an attack on Iranian nuclear facilities; Stuxnet provided an option that could—and did—slow the Iranian push toward a nuclear capability.
But how useful will offensive cyber weapons be for deterrence? Keep in mind that deterrence is all about perception. It is not enough to have a capability and to say that you will use it. Your opponent must believe that you will retaliate if the opponent attacks and that you will cause that opponent harm that exceeds the probable gains from the original attack.
This puts several conditions on the use of cyber means used for deterrence. First, the attribution problem has to go away. Not only must we know who attacks us, our would-be attacker must know that we will know, despite efforts made to hide the source of the attack.
Second, would-be attackers must know the threshold beyond which they cannot go. Will we respond if embarrassing corporate emails are made public? If state secrets are stolen? If a million social security numbers are taken? If essential files are destroyed? If industrial control systems malfunction? If the power grid goes down? The threshold lies somewhere on a line drawn through that list, but where? The line has to be precise and clear to the opponent.
Third, a would-be attacker must know that the threat of our retaliation is credible. The opponent must know that action threatened will hurt and that there can be no effective defense against it. Such a threat is easy for a nuclear power to make. A nuclear blast does hurts and, as yet, there is no assurance that the delivery of nuclear weapons can be stopped.
It is different in the cyber world. Can a retaliatory attack on targets purely in the cyber domain cause enough damage to make an opponent think twice about attacking? Perhaps, but I suspect not. Attacks on cyber targets that affect the physical world are more likely to, if their success can be guaranteed. But a would-be attacker must believe that such an attack will happen and that it cannot be stopped.
There is, of course, no reason to limit retaliation to the cyber domain. But such asymmetric responses get away from the committee’s call for a greater emphasis on offensive cyber weapons. They warrant consideration precisely because of the limitations of cyber attack. (McCain did not simply call for a greater emphasis on offense. He called for a strategy for deterring cyber attacks. )
Another problem with making a threat credible is that cyber threats against a determined defender are transitory. An attack that succeeds today will be defended tomorrow. Stuxnet relied on five zero-day attacks. They have been patched, though one was fully patched only recently. And we cannot assume that the Iranians are as vulnerable to attacks launched through USB devices and contractor’s laptops as they were in 2010. After all, the Defense Department was also the victim of an attack by USB in 2008. Measures have been taken and the department’s vulnerability has been reduced.
It is true that the attacker has the upper hand in today’s environment.
It is also a truism that a determined attacker can succeed. But will a would-be attacker be convinced that offensive cyber attacks by the United States that can cause significant harm are unstoppable? There is good reason to think not, despite the skills of the personnel in CyberCommand.
In addition, a response to a cyber attack using offensive means has to take escalation into account. In the nuclear world, deterrence was more like playing poker: once you got to the threat of a nuclear exchange, the chips were in; the cards were on the table. The power of the weapons, the damage they could do, put stark, horrifying limits on how the game could play out. In the cyber world, deterrence is more like chess: you have to plan to meet your opponent's next move. And the options the opponent has are manifold. This is especially so as the United States, more dependent on information technology than most other countries, with an immense cyber sector, offers a multitude of targets, many, perhaps most, of which are poorly defended. Can we be ‘escalation dominant’ in the cyber realm? That seems unlikely, even if our offensive cyber capability becomes more robust.
To conclude, then, when policymakers consider how to allocate the resources we are prepared to give to cyber operations, it seems wiser to continue to focus on defense than to seek to strengthen deterrence using offensive cyber means. A strategy of deterrence for cyber attacks, as McCain called for, is needed, but it can and should draw on means outside the cyber domain. The recent executive order that ordered sanctions against those responsible for cyber attacks can be one element of such a strategy.
What is needed more strongly than even the strong defense that CyberCommand may be able to provide for DoD is a comprehensive approach to defense in both the public and private sectors. Such an approach should strive to get past the distrust between (and within) the two sectors that has been especially strong since the Snowden revelations. It must include the exchange of the information available about the threats both sectors face, as so many are discussing now. It must also seek to set and maintain stronger standards for cyber defenses in ways that are both effective and flexible.
That is a tall order, but it is certainly not impossible to achieve. It gives us is a more certain path to reducing the plague of attacks that both private companies and government agencies have suffered recently than trying to use cyber attacks to deter our opponents.
