The Defense Department long has held the view that it will never be able to build enough technological walls to stop every cyber attack by opposing nation states, and that the best bet is deterrence.
The Pentagon is organizing that deterrence strategy around four pillars, starting with the idea that it needs to speak loudly, but carefully, about the strategy itself.
The approach involves a difficult balancing act: officials want to convey as clearly as possible what they view as international norms in cyberspace and be transparent about their strategies to deter nation-state cyber attacks, including the idea that the U.S. will respond with conventional military forces if cyber weapons cause serious economic damage or loss of life. But they do not want to declare in advance the “red lines” that would trigger a military response if other countries crossed them.
“Try and sit down and figure out what that red line would be and what you would promise the world what you would do to them if they crossed that line. As soon as you do that, everyone in the world is going to try and see how thick that red line is,” said Eric Rosenbach, the assistant secretary of defense for homeland defense and global security. “They’re going to go as close to it as they possibly can. We have very consciously decided that we don’t want to put a bright line on certain things.
Instead, Rosenbach told the Center for Strategic and International Studies on Thursday, DoD wants to make sure the world at large at least understands the U.S. thought process when it comes to cyber deterrence, and he said DoD must more clearly communicate its intentions in cyberspace, especially given recent NSA disclosures that have given some countries the idea that the U.S. is on a relentless offensive campaign.
Rosenbach said the Pentagon is clear-eyed about the fact that even though there’s very little it can do to shy terrorist groups away from cyber weapons if they were to acquire them, governments still can be deterred, and they also respond to the Pentagon’s messaging when it discusses its thinking in public.
Following international standards
DoD first learned that lesson in 2011, when in a report to Congress, it discussed cyber deterrence in a non-classified forum for the first time and also made its first acknowledgement that DoD has offensive cyber capabilities.
In that report, DoD said it viewed cyber weapons in much the same way it approaches bombs and missiles: Any offensive use would need to be approved by the President, and would follow the same legal regimes the U.S. uses when it decides whether to use kinetic weapons.
“That seems like a very small thing. But when your nation state adversaries are watching you very closely, they pick up on things like that,” Rosenbach said. “The reason I know is that when I was meeting people from other countries, they asked me a lot of questions about a congressional report that otherwise would have generated no attention. It made us realize that we do need to keep communicating about this. More often than not, when we’re not transparent, especially about things like offensive cyber, other countries believe we’re trying to rain destruction on the world.”
The specific messages DoD wants to communicate to other nations are what make up the three other deterrence pillars: that the United States will respond to cyber attacks, that it has an active strategy to make sure other countries don’t gain much benefit from attacking U.S. infrastructure via cyberspace, and that even if an attack is successful, those networks will quickly bounce back into action.
On response, Rosenbach said the U.S. message is that the military will sometimes respond tit-for-tat by meeting a cyber attack with a cyber response — but not always.
“The response could be something that doesn’t have anything at all to do with DoD,” he said. “It could be a démarche, it could be sanctions, it could be an indictment, it could be a public statement that this is unacceptable, something that we’ve done a lot more of in the last year in particular.”
DoD also wants to deter future cyber attacks by ultimately sending the message that those attacks won’t be successful and so attempting them isn’t worth the cost.
Rosenbach said the U.S. could send that signal either via direct communications to other nations or by making obvious to a would-be attacker on the network that it’s not worth their trouble.
Network resilience part of the strategy
That pillar of the deterrence strategy is most credible when it comes to DoD’s defensive activities to protect its own networks. Indeed, the majority of the 6,000-person force which U.S. Cyber Command is building right now is focused on defending the military’s own systems.
But for now, projecting an image of invulnerability is more difficult when it comes to defending U.S. critical infrastructure.
“The biggest problem is that we don’t own the nation’s critical infrastructure, and generally, there’s been a large underinvestment in the cybersecurity of that infrastructure,” he said. “So it’s impossible for the Department of Defense, even with everything we have going on, to intercept every single cyber attack.”
Nonetheless, “denial” — creating a perception that attacks are likely to cost a lot and gain the attacker very little — remains a key element of DoD’s strategy for deterring attacks in the future.
As a backup to the denial strategy, DoD’s current thinking involves a future of more network resilience. The hope is that attackers will get the message that even if they do make their way into the networks of an element of the nation’s critical infrastructure, the system will be able to take a few punches and then quickly recover.
“If we’re not successful in the denial and they do attack, it alters the cost- benefit calculus if the network comes right back up or the lights only go out for 15 minutes,” Rosenbach said. “Now the bad guys are in a pretty bad position, because they launched an attack on the nation. They kind of did it, and we know what they were trying to do. And if you’re the leader of bad country X, you know it’s game on, somebody’s coming after you, and the response is probably not just going to be cyber if you went after us in a major way.”