As the U.S. Department of Defense increasingly worries about damage that could result from a massive cyberattack, national security leaders are debating the best strategy to prevent such incursions. Should they adopt a philosophy that aims to stop an attack of any kind or should they try to dissuade enemies from specifically pursuing a cyberattack?
“Just because you have an issue in cyber you don’t have to respond in cyber. We use all the instruments of power,” Donald Bray said April 29 during an event hosted by the New America Foundation. Bray formerly led the Army’s Cyber Protection Brigade and is now director of cyber initiatives of global training solutions at Raytheon. “How you formulate your particular deterrence plan for the issue just depends on what’s the best approach for that particular problem.”
His comments echo similar sentiments made by government officials, who have scoffed at the idea that the Defense Department should respond to cyber incidents only with tools within the cyber domain.
A senior Department of Defense official told reporters in April that as part of a formal review of the department’s cyber posture, Pentagon leaders focused on deterrence, although not specifically cyber deterrence. Instead, they studied how cyberspace operations would factor into a broader deterrence efforts.
For years, national security experts have said the pure threat of retaliation, either from the conventional U.S. military or from the country’s economic power, has prevented a serious cyberattack on critical infrastructure.
“That’s why you don’t see strategic attacks on the nation is because of the weight that we can bring to bear conventionally,” the official said. He noted most of the work in the posture review focused on actions below the threshold of conflict.
Amy Zegart, senior fellow at Stanford’s Hoover Institution, argued it’s worth parsing what types of cyber activities are most preventable and what types aren’t. In an April 26 podcast interview with the Brookings Institution, she pointed to the Pentagon’s most recent nuclear posture review that states the United States reserves the right to use nuclear forces to retaliate against non-nuclear strategic attacks.
“Do we really think the United States government would launch a nuclear retaliatory strike after a cyberattack of how ever consequential damage might be on the United States?" she asked. "Lots of debate about that. Is that really a robust deterrence strategy? Probably not.”
Some experts also believe Cyber Command’s new, more assertive approach in its defense of daily cyberattacks, known as “defend forward,” may not be a deterrent in and of itself but will have a collective deterrent effect.
Some inside and outside government are careful to couch new cyber authorities as offensive in nature, saying they allow greater flexibility in defense.
“Overtime, if you push back, hopefully you’ll get a deterrent effect," said Emily Goldman, who serves on the policy planning staff in the office of the secretary at the Department of State and is on loan to the State Department from the National Security Agency, Goldman spoke at an April 23 event hosted by the Atlantic Council. “At some point, you’ll come to a sense that this is not worth the energy we’re putting in to try to do x, y or z.”
Instead, experts said government officials should view cyberwarfare as a way to provide one additional tool in their tool box.
“Cyber is not separate,” Lt. Col. Natalie Vanatta, national cyber protection team leader and deputy chief of research at the Army Cyber Institute, said at the New America event. “Cyber is just one other component, one other effect that we can put into a commander’s kit bag to use to achieve the mission. How he or she chooses to employ it to be able to get to mission success.”
In the future, she said, it’s critical leaders understand that cyber, and by extension Cyber Command, might be the primary effort in an operation and sometimes it might be the supporting the military effort. Similarly, with a whole of government approach, “sometimes cyber might be the main effort but sometimes U.S. Cyber Command … will be a supporting effort to some other aspect,” she said. These whole of government responses can include diplomatic demarches, sanctions or indictments.
Current and former officials know foreign hackers may never see the inside of a U.S. courtroom, but they feel there are strong reasons to pursue them.
Moreover, some experts argue that having a strong cyber force will not serve as a strong cyber deterrent.
“There is no doubt among adversary actors that we have a high-quality cyber offense capability,” Peter Singer, strategist and senior fellow at the New America Foundation, said. “One of the things … [Edward Snowden] did reveal [is] that there is high-quality capability there. But that did not yield cyber deterrence.”
In the cyber arena, the most common refrain for creating a deterrent effect is so-called deterrence by denial.
“We would gain greater deterrence though a resilience structure,” Singer said. “It’s where adversaries don’t just fear retaliation in the same way … but rather you don’t hit me because you know it’s not going to work. I will shake it off, I will bounce back quickly. We as a nation don’t have good resilience when it comes to our overall national cybersecurity.”