Cyber deterrence has proven to be quite an elusive end state. In an attempt to help push the conversation forward, the Defense Department Science Board's Task Force on Cyber Deterrence issued a report at the end of February offering several recommendations for achieving deterrence in cyberspace.
While heavy on the DoD side, the report does touch on other realms within the purview of civilian government agencies in what the previous White House administration referred to as a "whole of government" approach to deterring in cyberspace.
The recommendations in the report, which incorporates two years of work, "will bolster U.S. cyber deterrence and strengthen U.S. national security," wrote Craig Fields, chairman of the Defense Science Board.
The three challenges identified by the board, as they apply to cyber deterrence, include:
- Significant and growing ability of major powers, identified as Russia and China, to hold critical infrastructure at risk through cyber attacks and thwart military responses
- The growing potential of regional powers, identified as Iran and North Korea, to use indigenous or purchased cyber tools to conduct catastrophic attacks on critical infrastructure
- The ability afforded to non-state actors to perpetrate persistent cyber attacks that while might not be threatening or damaging by themselves, could have the cumulative effect of "death by 1,000 hacks"
To get at these difficult challenges, the report outlines three broad sets of initiatives both DoD and the nation should pursue to bolster deterrence:
- Plan and conduct tailored deterrence campaigns to deal with a range of potential attacks rather than a one-size-fits-all.
- Create a cyber-resilient "thin line" of key U.S. strike systems that are increasingly vulnerable to exploitation.
- Enhance foundational capabilities both within DoD and the government to improve capabilities such as attribution – which is essential for deterrence to identify culprits, resilience and technology innovation.
Despite the cries from many inside and outside the government for a more cohesive cyber deterrence strategy, the nation’s chief uniformed cyber officer believes this line of thought is too narrow.
"I would argue that we should view cyber as one element of a broader deterrence campaign," Adm. Michael Rogers, director of the National Security Agency and commander of U.S. Cyber Command told an audience at the AFCEA-UNSI West 2017 conference in San Diego, California at the end of February.
Rogers offered cyber should be thought of as one dimension of something bigger because in his opinion, that has a greater probably of achieving a favorable outcome than simply looking at cyber through a narrow prism of reprisal.
Members of Congress, however, have long criticized the White House and DoD for lack of a deterrence strategy. The secretary of Defense must deliver a report to Congress on deterrence of adversaries in cyberspace as stipulated in the 2017 National Defense Authorization Act. The act also directs the president to submit a report on the "types of actions carried out in cyberspace against the United States that may warrant a military response."
For members of Congress, there has been the perception that no costs are imposed for malicious activity in cyberspace. Further complicating matters are the increasing frequency of incidents involving cyber intrusions – from Iran’s denial of service attacks against the U.S. financial sector, to North Korea’s destructive attack against Sony Picture, to the German steel mill explosion thought to be the result of Russian cyber intruders – the Science Board writes deterrence is growing more important as "we have only seen the virtual tip of the cyber attack iceberg."
One of the critical questions DoD's Science Board asks rests within the cyber norms discussion and the use of exploits for "legitimate" espionage/collection activities or for pre-positioning of disruptive activities.
"As a key example, is it acceptable or unacceptable for nations to pre-position malicious software in each other’s electrical grids, as appears to have occurred to the United States with ‘HAVEX’ and ‘BlackEnergy’ malware," the report asks. "If it is acceptable, then the United States may wish to take such actions – if for no other reason than to deter an adversary from ‘pulling the trigger’ on similar implants it may have placed in U.S. systems. If it is unacceptable, then the United States should work to identify and impose costs on any nation that undertakes such an action."
The report also recommends the government develop a playbook for cyber response as opposed to a "cookbook" of "formulaic responses" for a range of cyber and non-cyber options to present to the president in the case deterrence fails.