Can DoD Develop Effective Cyber Deterrents?
Rep. Adam Schiff and others repeatedly urged President Obama “to call Russia out” over cyber intrusions into U.S. political, election and personal computer systems last summer, but it wasn’t until Oct. 7 that the United States formally accused the Russians for trying to interfere with U.S. elections through a series of computer hacking incidents this year.
As one embarrassing cyber breach after another emerged, Director of National Intelligence James Clapper and other senior officials stopped short of publicly blaming the Russians, highlighting one of the biggest challenges in the cyber domain: how to create a credible deterrent threat.
The Department of Defense Cyber Strategy calls for “a comprehensive cyber deterrence strategy to deter key state and non-state actors” from launching cyber attacks against U.S. interests. The strategy promises response “at a time, in a manner, and in a place of our choosing” and describes attribution as fundamental to deterrence by removing the anonymity that enables so much malicious cyber activity.
But this is easier said than done, notes Sean Kanuck, a former cyber issues chief in the Office of the Director of National Intelligence (DNI). “Many actors remain undeterred,” he said.
In economic as well as security terms, cyber is a disruptive force. Cyber reconnaissance, espionage and attacks remain relatively cheap and the consequences appear to be benign. But return on investment can be huge, Kanuck said at the Intelligence and National Security Summit in September.
Tailoring the Deterrent
Choosing an effective cyber deterrent “depends on what actor you’re trying to deter,” Kanuck said. To stop criminals, activists, ideologues and terrorists, “you have to have the ability to identify them and the ability to impose a punishment on them that will deter them.” he said. Today that’s seldom possible.
For nation states, the situation gets more complicated. U.S. officials remain reluctant to fight cyber with cyber. And other options like sanctions, can take years to have an effect.
“There’s a lot of discussion about cyber hammers and cyber nails,” said Lt. Gen. Kevin McLaughlin, deputy chief of U.S. Cyber Command. “But in general, we’re not thinking about it that way. We’re thinking about deterring adversarial behavior using all the tools available to the department.”
McLaughlin said the Cyber Command aims to provide combatant commanders with response options that include imposing costs and denying benefits to an adversary as well as increasing U.S. cyber defenses and resilience.
Fighting Cyber with Cyber
Simply unleashing a cyber counterattack is problematic because of the difficulty in proving beyond doubt where attacks in cyberspace originated, McLaughlin said, citing the “huge risk” in launching a cyber counterattack on the wrong target.
Kanuck agreed. Cyberspace “is massively multi-polar,” he said. Attacks can come from anyone, from hostile governments to terrorists to individual hackers.
Shawn Henry, former executive assistant director of the FBI and current president of the cybersecurity firm CrowdStrike Services, said specific characteristics in malware or in methods of attack may point to a particular culprit, but attribution with 100 percent certainty is extremely rare. Officials may also be reluctant to offer proof because doing so may expose tactics, techniques and procedures used to monitor cyber intrusions.
The U.S. military is anxious to develop better methods for attribution. The Defense Advanced Research Projects Agency (DARPA), for example, hopes to improve attribution through its Enhanced Attribution program. DARPA says it hopes to provide “high-fidelity visibility into all aspects of malicious cyber operator actions.” It aims “to increase the government’s ability to publicly reveal the actions of individual malicious cyber operators without damaging sources and methods.”
But cyber attribution and deception go hand in hand. Security experts believe cyber attackers will respond to efforts to increase attribution by developing better techniques to foil them. “Cyber tools are perishable,” DNI’s Kanuck noted.
Clear Red Lines
Some advocate establishing clear “red lines” to indicate to adversaries “what is no kidding off limits,” as Henry puts it. Doing so, the reasoning goes, would make cyber more like kinetic warfare, where it’s understood that physical attack will be met with an in-kind response.
But in cyberspace, Kanuck said, setting red lines essentially “invites people to do anything they want below the red line, thinking they have immunity.” Moreover, red lines can back nations into a corner such that they have to respond in a given way when a line is crossed in order to preserve their credibility, he said.
Perhaps that’s why Cyber Command’s McLaughlin says that, for now, the U.S. prefers ambiguity. But Henry argues that waiting until after a cyber attack to decide whether and how to retaliate makes responding more difficult. At a minimum, it wastes precious time.
At present, the best deterrent may be simply making it far more difficult to mount a successful attack. That’s not as hard as it sounds since many breaches can be traced back to careless or sloppy human errors. “Most successful intrusions or penetrations take advantage of the failure to follow basic cyber hygiene,” McLaughlin said. Failure to patch vulnerabilities and to update systems and failure to understand which parts of the system need higher levels of protection provide adversaries with too many openings for attack, he said.
So it stands to reason that improving system defenses raises the cost for cyber attackers: it “makes the adversary work harder,” McLaughlin said. “Today they don’t have to work hard.”
Cyber defenses could also be improved through better information sharing among government agencies, international governments and also private-sector businesses. Sharing information about attacks helps everyone improve their defenses.
But convincing everyone to cooperate hasn’t been easy. Since most of what’s on the Internet is privately owned, “the private sector is often the first line of defense,” CrowdStrike Services’ Henry said. And private companies’ first concerns are usually “all about stopping the bleeding, protecting their brand, protecting their company, their clients and their corporate interests.” Often, they fear disclosing details of a cyber attack could open them to legal liabilities and other damages, he added.
Unresolved Policy Matters
A landmark 2010 exercise called Cyber Shockwave conducted by the Bipartisan Policy Center with support and guidance from academia and such industry leaders as General Dynamics, revealed multiple weaknesses and holes in U.S. cyber policy. Role players were highly experienced former senior administration and national security officials, such as former Homeland Security Secretary Michael Chertoff and former Director of National Intelligence John Negroponte. The exercise concluded with a series of recommendations, including:
- Establish clearly-defined responsibilities among U.S. agencies for maintaining situational awareness on critical operational developments in cyberspace
- Develop clear responsibilities for the departments of Defense, Homeland Security and others as to what each will do during response to and recovery from a major cyber attack
- Stop relying on the Communications Act of 1934 and the Telecommunications Act of 1996; modernize the laws governing how government agencies respond to cyber attacks
- Consider seeking international agreements on what activity is permitted in cyberspace
- Launch a national education campaign to inform U.S. citizens about cybersecurity and require all internet users to have updated virus and malware protection
- Establish mechanisms for government cyber defenders to collaborate more effectively with their private sector counterparts
“There has been progress on a few,” said Blaize Misztal, director for national security at the Bipartisan Policy Center. “But most remain unaddressed or at least insufficiently addressed.”
The greatest progress came with the passage of the Cybersecurity Information Sharing Act in 2015, which began laying a legal foundation for closer private-public partnerships for identifying and sharing information about cyber threats, Misztal said.
Internationally, progress has also been made in establishing international norms of conduct in cyberspace through the NATO Cyber Centre of Excellence and the 2015 U.S.-China agreement to stop cyber-enabled economic espionage, he said.
“And most certainly, public awareness of cyber threats has increased dramatically, even just this year,” Misztal said. “But this alone is not sufficient to improve cyber hygiene. In almost every other area, significant work remains to be done.”
Roles and responsibilities within the government still aren’t clear, Misztal added: “Look at the current debate about whether the Department of Homeland Security should protect state electoral systems or not.”
There is “still is no clear decision-making process, let alone guidelines, for determining how to deal with cyber incidents. Just witness the very different responses to the Sony, Office of Personnel Management and Democratic National Committee hacks,” he said.
Legal authorities for the president in a cyber emergency have still not been updated, “nor are we any closer to reaching a societal understanding of what ‘privacy’ should mean in the digital age,” said Misztal.
Finally, he added, while cyberattacks are becoming easier to attribute, “we still have no policy framework for when we name names or how we will respond if we do identify the perpetrators.”
These are issues the next presidential administration will undoubtedly have to address. Whether they can advance the ball and develop such a framework however, remains to be seen.