Melanie Teplinsky :
The Pentagon’s new strategy for cyber-operations Defence Secretary Ashton Carter unveiled last week in Silicon Valley is a strong sign the US is shedding its defence-only paradigm for cyber-security policy.
The US has long focused on strengthening online defences to reduce vulnerability to attack, but recently, there’s been a stronger push by policymakers to find new ways to deter attacks before they happen. The goal of threat deterrence is to raise the costs of, and reduce the benefits from, cyber-attacks and cyber-espionage so that it no longer pays. The new strategy reflects the growing understanding at the highest levels of the US government that there is value in a hybrid model of cyber-security based not only on defense but also on finding ways to be proactive.
According to the updated Pentagon approach, the Department of Defence has several roles to play in this. First, the strategy calls for the department to strengthen “deterrence by denial.” Specifically, the strategy calls on both DOD and the private sector, which owns and operates more than 90 per cent of cyberspace infrastructure, to protect their networks. Although this message is couched in the now-popular government buzzword of deterrence, this is simply a call for more defence, which is nothing new.
The strategy also calls for the DOD to adopt effective resilience and redundancy measures. Although the strategy does not specify what it means by this, resilience can be enhanced through a variety of capabilities, including integrity and segmentation. Integrity capabilities allow a potentially infected network to be reset to an earlier and uninfected state. Segmentation walls off certain parts of the network from others in order to help isolate sources of infection. The most striking aspect of the strategy, however, is that it portrays DOD’s offensive capabilities as essential to deter adversaries from initiating cyber-attacks attacks on the US. This approach dovetails with National Security Agency Director Adm. Mike Rogers’s recent congressional testimony. In that testimony, Admiral Rogers, who also heads US Cyber Command, took the position that effective deterrence requires the US to increase its cyber-offensive capabilities.
Even in that short time frame, there has been considerable progress on the threat deterrence front, with the government taking several high-profile steps to punish malicious cyber-intruders.
First, less than a year ago, the Department of Justice issued a groundbreaking public indictment of five Chinese military officers for economic espionage against several large US companies including Westinghouse Electric and US Steel. This first-of-its-kind indictment identified five individual Chinese People’s Liberation Army officers involved in cyber-espionage and detailed their activities. In doing so, the US ramped up the political and diplomatic costs to China and others engaged in like activities in an effort to deter them from such behaviour.
Second, just a few months ago, the government invoked sanctions in response to the Sony hack. After the US government publicly attributed the hack to the North Korean government, President Obama signed an executive order pursuant to which the Treasury Department imposed targeted sanctions on specified North Korean government agencies and officials.
This marked the first time that Washington invoked sanctions in response to a nation-state sponsored cyber attack. The sanctions – unlikely to have a significant effect on North Korea due to its limited commercial interaction with the US – clearly were designed to send a signal to other would-be cyber threat actors that such intrusions are not without cost.
Third, just last month, President Obama issued an executive order establishing a sanctions programme for those conducting cyber-attacks modeled on US counterterrorism and nonproliferation sanctions programmes. The programme is designed to penalise those who engage in destructive cyber-attacks against critical infrastructure and/or commercial cyber espionage by freezing their assets, among other things.
Drawing conclusions at this time regarding the effectiveness of America’s nascent cyber-deterrence efforts is premature. As it is too early to know whether the government’s still-developing deterrence strategy is working, it is premature to deem offensive cyber-operations a necessity for purposes of deterrence. Given the potential downsides of DOD engaging in offensive cyber-activity – e.g., the possibility of damaging diplomatic relations or causing unintended harm – a sensible approach may be to hold off on such activity for purposes of threat deterrence while exploring the effectiveness of other, more modest, avenues for relief from cyber-threats, such as diplomacy, law enforcement, governmental sanctions, and civil remedies.
Regardless of whether the DOD engages in offensive cyber-activity for purposes of threat deterrence, the new DOD strategy reflects the growing consensus that cyber-attacks must not go unpunished; that a heavy cost for such activities must be imposed; and that DOD can play an important role in the development and implementation of a comprehensive and effective US cyber-security strategy based in part on threat deterrence.
( The Christian Science Monitor)
