Weaknesses in U.S. Cybersecurity Deterrence Strategy

I had an op-ed over the weekend arguing that last week’s Defense Department report to Congress – which announced for the first time a policy of using offensive cyber weapons in response to threats or uses of significant cyber weapons against the United States, and which was hailed by some as an advance in the U.S. cyber deterrence posture – reveals the weaknesses in U.S. cyber deterrence policy. The piece makes these points:

• The government’s retaliation threats are limited to “significant” or “crippling” cyber attacks.  The threats do not extend to, and thus cannot hope to deter, and indeed might be seen to invite, cyber exploitations and small-scale cyber attacks.

• The absence of threatened action against cyber exploitations, which are widely viewed to be the most immediate and significant national security concern, is bad in its own right, and doubly bad because cyber exploitations often cannot be distinguished from cyber attacks, at least until an attack begins, and thus passivity in the face of cyber exploitations encourages cyber attacks.

• Threats against large-scale cyber attacks are only effective if they are credible, and they are not credible to the extent that attribution is a problem.

• To tamp down on damaging cyber exploitations and small-scale cyber-attacks, and to establish credibility for retaliations for large-scale cyber attacks, the USG should, when it has decent attribution, engage in small-scale anticipatory or retaliatory attacks on the threatening foreign computer systems in ways that would not violate international law, and use non-military weapons as well, including political and diplomatic sanctions and the publication of embarrassing secrets about foreign governments.

The piece concludes:

Some argue that such retaliation will adversely affect diplomatic and economic goals, especially in relations with our chief cyber adversaries, Russia and China. But if the cyber threat is as serious as the government says, it must respond concretely when it has decent attribution, and Congress must give the administration the authorities it needs to do so. Events of the last decade have shown that, in the absence of concrete retaliation, complaints and vague threats will only embolden our adversaries.