Toward a Cyber Deterrence Strategy?
Almost a year to the date after the White House cybersecurity executive order, the Department of Homeland Security (DHS) last week released a new Cybersecurity Strategy. The DHS strategy reinforces its role as the key authority for defending and preventing cyber attacks within the United States, noting the ten-fold increase of cyber incidents reported on federal systems between 2006-2015 and the need for building a resilient cybersecurity ecosystem.
The DHS Strategy follows the March release of the Command Vision for US Cyber Command, which outlines the new Unified Combatant Command’s objective to, “Achieve and maintain superiority in the cyberspace domain to influence adversary behavior, deliver strategic and operational advantages for the Joint Force, and defend and advance our national interests.” The Vision outlines the aim to achieve superiority in cyberspace through persistence, defending forward, and engaging adversaries.
Together, these two strategic documents touch upon two major aspects of deterrence – deterrence by denial and deterrence by punishment. With the release of a national strategy on cyber deterrence delayed in the National Security Council, these two documents may add insight into what may emerge in the new strategy, while also revealing some of the many remaining challenges. Importantly, they demonstrate the necessity for and challenges with reimagining deterrence for the digital age, which requires a whole of society approach and better defined parameters for what to deter in the first place.
Deterrence is a strategy to dissuade or prevent adversaries from taking specific actions. Most deterrence frameworks are based on nuclear deterrence and Cold War dynamics, and are ill-equipped to handle the nuances of the cyber domain. As both the DHS and Cyber Command strategies highlight, the bipolar international system of the Cold War no longer exists, and has been replaced with several near peer adversaries, criminal groups, mercenaries, terrorist organizations and lone wolves who can access open source nation-state cyber capabilities. The asymmetric nature of cyberspace shifts the fundamentals of power, misperception and misattribution are heightened and of course all of the challenges of nuclear proliferation and traditional kinetic attacks still exist. Moreover, while nuclear deterrence focuses on deterring nuclear attacks, the parameters for cyber deterrence remain ambiguous. Is it based on preventing certain effects, such as critical infrastructure destruction? Preventing certain kinds of malicious activity, such as cryptojacking or ransomware attacks?
While the parameters remain nebulous, there has been some progress in strategic deterrence that integrates the cyber domain. Joseph Nye recently specified four key mechanisms for deterrence: denial, punishment, entanglement, and norms. The DHS and Cyber Command strategic documents address these first two mechanisms, while referencing entanglement and norms as well, and are worth exploring.
Deterrence by Denial
The DHS strategy details a risk management approach, and in many regards resembles those cyber risk management models increasingly adopted in the private sector. For instance, Pillar 1 focuses on risk reduction, and includes a range of focal areas including maximizing investments, protection for both legacy systems and cloud and shared infrastructure, and reducing risk while maximizing investments. Part of the risk management also includes the desire to, “increasingly leverage field personnel…to encourage the adoption of cybersecurity risk management best practices.” This is referenced in the context of protecting critical infrastructure, and will be interesting to watch whether this leads to new private-public sector collaboration frameworks. The risk management approach is echoed in the Department of Energy’s recent cybersecurity plan, and together may signal broader government action toward minimizing risks and optimizing outcomes.
In addition to risk management, the DHS strategy emphasizes resilience, execution, and a complex systems approach that integrates the human and technical aspects of cybersecurity. Importantly, by focusing on building resilience within an ecosystem, the DHS strategy integrates the human and technical aspects of cybersecurity, while taking steps to address better coordination between the private and public sector. In focusing on the cyber ecosystem, the DHS Strategy inherently frames defenses based on a socio-technical system. This helps pull various aspects of deterrence by denial under one umbrella, including expanding the workforce, capacity building, and incident response, in addition to the technological research and development required to strengthen defenses.
Deterrence by Punishment
Cyber Command’s Vision similarly stresses the role of resilience but, given their new authorities and mission, takes an approach focused more on gaining superiority through persistence and active engagement. While the Vision does not emphasize traditional perspectives on deterrence, several aspects do imply deterrence by punishment and impacting the risk calculus of adversaries. In defining cyberspace superiority, the Vision not only focuses on the need for fully functioning cyber operations, but also the security of land, air, maritime, and space forces as well. This is a welcome departure from dominant discussions that treat the cyber domain as a silo and ignore the cross-domain effects. This is a growing trend, as the recent Nuclear Posture Review (NPR) integrates cross-domain deterrence by punishment. The NPR specifies that the U.S. will only consider employing a nuclear response under extreme circumstances, which may include “significant non-nuclear strategic attacks” on the U.S. or allies, which may reference a destructive cyber attack.
The Vision also takes a broader perspective on how adversaries are exploiting cyberspace for their objectives. For instance, it notes, “Cyberspace capabilities are key to identifying and disrupting adversaries’ information operations.” This is closely linked to Imperative 3 and the push toward integrating cyberspace operations with information operations, acknowledging the full-spectrum of potentially malicious behavior in cyberspace to which the U.S will respond. The Vision reiterates a seamless transition between offense and defense, and defending forward as much as possible to cause adversaries to shift to defense and holding them accountable for cyber-attacks. Finally, the Vision focuses on achieving an overmatch of capabilities, which again impacts the risk calculus of adversaries and informs deterrence.
Overcoming Failures of Imagination
“We must anticipate the changes that future technological innovation will bring, ensure long-term preparedness, and prevent a “failure of imagination.” DHS Strategy
“Anticipate and identify technological changes, and exploit and operationalize emerging technologies and disruptive innovations faster and more effectively than our adversaries.” Cyber Command Vision
Authoritarian regimes and malicious non-state actors continue to creatively leverage all facets of the cyber domain to achieve a range of objectives with little gap between technology and policy. Both the DHS Strategy and Cyber Command Vision note that the U.S. gap between policy and technology must also close through anticipating, integrating, and preparing for technological change. To that end, each strategic document takes steps toward preventing strategic surprise. This includes research and development across all phases of operations, and international collaboration and partnerships. Each document also notes the necessity for shaping acceptable behavior in cyberspace, and references deterrence through the establishment of norms.
That leaves deterrence by entanglement, which is where the private sector plays a unique, unparalleled role compared to the other domains, and is rarely discussed when it comes to deterrence. Within the Cyber Command Vision, the emphasis is on leveraging the talents, products and expertise of the private sector for information sharing and capability development. The DHS Strategy similarly focuses on expanding collaboration and strengthening partnerships with the private sector. Each of these is important, especially as private sector initiatives such as the Tech Accord and Charter of Trust aim to protect the resilience, security, and privacy of cyberspace. The private sector is key to entanglement (and denial) as the owner of much of the data and infrastructure, and due to its role in cross-national economic interdependence and reliance on the Internet as a key mechanism for economic growth. This aspect of deterrence is especially relevant for US-China relations, but also applies to relatively isolated countries as well.
Finally, in the effort to better prepare for and prevent surprise, it is absolutely necessary to innovate strategic thinking when it comes to cyber deterrence. First, much greater refinement is required to identify what behavior the strategy is intending to deter, and how to progress from strategy to action. Both documents note that not all malicious activity will be deterred. With everything from information operations to wiper attacks to phishing campaigns falling under the umbrella of malicious cyber activity, targeted deterrence is required to then tailor and prioritize deterrence strategies against the most impactful kinds of malicious cyber activity. The recently introduced DETER Act takes steps in this direction, moving away from a one-size-fits-all approach and instead mandates distinct action plans based on the effect and the attacker. Second, cybersecurity strategies must be creative and innovate to promote the most impactful aspects of U.S. soft power: democratic norms and civil liberties. Both the DHS and Cyber Command documents acknowledge this, emphasizing the necessity to pursue these strategies in “ways consistent with our national values and that protect privacy and civil liberties.” This is an absolutely essential component to innovation, public-private relationships, and serves as a cornerstone to U.S. soft power. However, as is common in strategic documents, it is not clear how each organization will achieve this balance, or what steps will be taken in many of other areas as well. While the strategic documents take much needed steps toward informing a broader national cybersecurity strategy, they should be monitored to see if and how they are translated from strategy to action.