After repeated calls from Congress, the White House finally delivered a cyber deterrence policy outlining how the United States will respond to cyber attacks from malicious actors.
The plan gives a way for the United States to show its teeth on cyber policy by defining retaliation measures for cyber attacks.
The policy stated the United States is “pursuing deterrence through cost imposition measures … designed to both threaten and carry out actions to inflict penalties and costs against adversaries that choose to conduct cyber attacks or other malicious cyber activity against the United States.”
Those measures include pursuing law enforcement measures, sanctioning malicious cyber actors, conducting offensive and defensive cyber operations and using military force.
The policy goes further in saying it is in the United States’ interest to assist other countries in building the capacity to combat cybercrime.
The United States is encouraging countries to join the Budapest Convention on Cybercrime. The convention defines a framework for deterring cybercrime, giving law enforcement agencies the authority to investigate cybercrime and enacting cybercrime laws, among other actions.
So far 44 countries have ratified the convention into law.
The White House policy also supports “deterrence by denial,” which aims to “persuade adversaries that the United States can thwart malicious cyber activity, thereby reducing the incentive to conduct such activities.”
The deterrence by denial provision also prioritizes identifying and defending critical infrastructures to the United States. Deterrence by denial will bolster government network defenses and defend against insider threats as well.
“Government efforts and resources will be prioritized to ensure that those particular systems benefit from continuously improving and evolving cybersecurity and network defenses,” the policy stated.
The provision supports building strong partnerships with the private sector to promote cybersecurity best practices and assist in building public confidence in cybersecurity measures.
Congress recently passed the Cyber Information Sharing Act, which legally unfetters companies from sharing cyber attack data with the government.
The Department of Homeland Security was tasked in 2013 with identifying critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects.
Congress has been pushing the Obama administration to deliver its overdue cyber deterrence strategy required in defense authorization acts from the last three years.
In a Nov. 18 letter to Director of National Intelligence James Clapper, Senate Armed Services Committee Chairman John McCain (R-Ariz.) said he is “seeking an explanation for the administration’s delay in developing a cyber deterrence policy and utilizing the many tools available to it to achieve substantive deterrence.”
McCain sent a second letter to Attorney General Loretta Lynch and Department of Homeland Security Secretary Jeh Johnson stating the administration’s lack of sanctions in the U.S.-China cyber agreement is a prime example of the President refusing to use the authority given to him.
“The failure to utilize these authorities is alarmingly consistent with this administration’s refusal to articulate a robust strategy to deter cyber attacks against the United States,” the second letter states.
The logic of the cyber deterrence strategy is that the policy will keep cyber attackers from infiltrating systems if they know what response the United States will have to the attack.
It works similarly to a nuclear deterrence strategy where redlines are drawn and the United States has a public policy to make adversaries aware of its response to crossing those redlines.
“Suppose there is an attack like the one on [the Office of Personnel Management]. Do you respond by counterattacking? Do you respond by trying to enact other measures? What do we do in case of a cyber attack?” McCain said, during a September Armed Services Committee hearing.
Sens. Tim Kaine (D-Va.), Mike Rounds (R-S.D.) and Angus King (I-Maine) have all called for a strategy.
Until the release of the deterrence strategy the administration said Defense Department’s cyber strategy, released in April, was considered a cyber policy. Deputy Defense Secretary Bob Work during a congressional hearing said if the United States were attacked DoD would have the ability to come up with an appropriate response.
However, lawmakers disagreed with the assertion that the strategy is considered a policy because no redlines are drawn.
“Dr. Strangelove taught us that if you have a doomsday machine and no one knows about it, it’s useless,” King said during a September Intelligence Committee hearing. “Having a secret plan as to how we will respond … the deal is they have to know how we will respond and therefore not attack in the first place.”
DoD has the capability to respond to an attack in an offensive or defensive manner. The Defense Information Systems Agency stood up a joint headquarters in January to protect DoD networks. DISA Director Alan Lynn said the joint force has already been in seven named operations.
The DoD cyber strategy also creates a cyber mission force of 133 teams. Of those teams, 52 are set aside for combat missions and support to combatant commanders and contingency operations. The rest provide defense capabilities to the homeland and defense networks.
Requests for comments were sent to multiple congressional offices on the topic of the new deterrence strategy, but none were immediately returned.