Modern field guide to security and privacy

Opinion: The Pentagon's risky offensive cyberstrategy

While the Pentagon's new cybersecurity strategy puts more weight on striking back against criminal or nation-state hackers, a more effective way to deter attacks may be through diplomacy, law enforcement, and sanctions.

|
Ben Margot/AP
Defense Secretary Ash Carter unveiled the Pentagon's new cybersecurity strategy at a speech on April 23 at Stanford University.

The Pentagon’s new strategy for cyberoperations Defense Secretary Ashton Carter unveiled last week in Silicon Valley is a strong sign the US is shedding its defense-only paradigm for cybersecurity policy.

 The US has long focused on strengthening online defenses to reduce vulnerability to attack, but recently, there's been a stronger push by policymakers to find new ways to deter attacks before they happen. The goal of threat deterrence is to raise the costs of, and reduce the benefits from, cyberattacks and cyberespionage so that it no longer pays. The new strategy reflects the growing understanding at the highest levels of the US government that there is value in a hybrid model of cybersecurity based not only on defense but also on finding ways to be proactive.

According to the updated Pentagon approach, the Department of Defense has several roles to play in this. First, the strategy calls for the department to strengthen “deterrence by denial.” Specifically, the strategy calls on both DOD and the private sector, which owns and operates more than 90 percent of cyberspace infrastructure, to protect their networks. Although this message is couched in the now-popular government buzzword of deterrence, this is simply a call for more defense, which is nothing new.

The strategy also calls for the DOD to adopt effective resilience and redundancy measures. Although the strategy does not specify what it means by this, resilience can be enhanced through a variety of capabilities, including integrity and segmentation. Integrity capabilities allow a potentially infected network to be reset to an earlier and uninfected state. Segmentation walls off certain parts of the network from others in order to help isolate sources of infection.

Whether adopted by the Defense Department, critical infrastructure owners, or the private sector more generally, the strategy notes that such measures contribute to cyberdeterrence by helping to “convince potential adversaries of the futility of commencing cyberattacks on US networks and systems."

Resiliency can mitigate the consequences of a successful attack. But fortifying networks is more easily said than done, and the Pentagon strategy is short on details as to how the department will achieve this goal, let alone how critical infrastructure owners and the private sector more broadly will do so, as is necessary if resilience is effectively to deter cyber adversaries.

The most striking aspect of the strategy, however, is that it portrays DOD’s offensive capabilities as essential to deter adversaries from initiating cyberattacks attacks on the US. This approach dovetails with National Security Agency Director Adm. Mike Rogers’s recent congressional testimony. In that testimony, Admiral Rogers, who also heads US Cyber Command, took the position that effective deterrence requires the US to increase its cyberoffensive capabilities.

The implication of the NSA chief's testimony and the DOD strategy is that offensive capabilities are necessary because the existing US approach to cyberdeterrence is, by itself, insufficient to deter cyberattacks. But such a conclusion may be premature. It is only recently that the US began to view threat deterrence as an integral part of its cybersecurity strategy, and even more recently – only in the last year or so – that deterrence appears to have motivated government action (as opposed to diplomacy) in response to cyberattacks and cyberespionage.

Even in that short time frame, there has been considerable progress on the threat deterrence front, with the government taking several high-profile steps to punish malicious cyberintruders.

First, less than a year ago, the Department of Justice issued a groundbreaking public indictment of five Chinese military officers for economic espionage against several large US companies including Westinghouse Electric and U.S. Steel. This first-of-its-kind indictment identified five individual Chinese People’s Liberation Army officers involved in cyberespionage and detailed their activities. In doing so, the US ramped up the political and diplomatic costs to China and others engaged in like activities in an effort to deter them from such behavior.

Second, just a few months ago, the government invoked sanctions in response to the Sony hack. After the US government publicly attributed the hack to the North Korean government, President Obama signed an executive order pursuant to which the Treasury Department imposed targeted sanctions on specified North Korean government agencies and officials. This marked the first time that Washington invoked sanctions in response to a nation-state sponsored cyber attack.

The sanctions – unlikely to have a significant effect on North Korea due to its limited commercial interaction with the US – clearly were designed to send a signal to other would-be cyber threat actors that such intrusions are not without cost. As Treasury Secretary Jack Lew said at the time, “These steps underscore that we will employ a broad set of tools to defend US businesses and citizens and to respond to attempts to undermine our values or threaten the national security of the United States.”

Third, just last month, President Obama issued an executive order establishing a sanctions program for those conducting cyberattacks modeled on US counterterrorism and nonproliferation sanctions programs. The program is designed to penalize those who engage in destructive cyberattacks against critical infrastructure and/or commercial cyber espionage by freezing their assets, among other things.

Drawing conclusions at this time regarding the effectiveness of America's nascent cyberdeterrence efforts is premature. Not enough time has passed for even the limited actions described above to have taken full effect, and it seems reasonable to assume that when more such actions have been taken, the impact on cyberadversaries will be greater.

Moreover, there are avenues for government action that have not yet been tapped; for example, the possibility of game-changing legislation in this area should not be ruled out. Over the past few years, a number of bills designed to deter cyberthreat actors have been introduced in Congress, including legislation that would allow corporate victims of cyberespionage to recover damages from such intrusions.

As it is too early to know whether the government’s still-developing deterrence strategy is working, it is premature to deem offensive cyberoperations a necessity for purposes of deterrence. Given the potential downsides of DOD engaging in offensive cyberactivity – e.g., the possibility of damaging diplomatic relations or causing unintended harm – a sensible approach may be to hold off on such activity for purposes of threat deterrence while exploring the effectiveness of other, more modest, avenues for relief from cyberthreats, such as diplomacy, law enforcement, governmental sanctions, and civil remedies.

Regardless of whether the DOD engages in offensive cyberactivity for purposes of threat deterrence, the new DOD strategy reflects the growing consensus that cyberattacks must not go unpunished; that a heavy cost for such activities must be imposed; and that DOD can play an important role in the development and implementation of a comprehensive and effective US cybersecurity strategy based in part on threat deterrence.

 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Opinion: The Pentagon's risky offensive cyberstrategy
Read this article in
https://www.csmonitor.com/World/Passcode/Passcode-Voices/2015/0501/Opinion-The-Pentagon-s-risky-offensive-cyberstrategy
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe