The U.S. Department of Defense’s new strategy focuses on prevention
By Aaron Hughes, U.S. deputy assistant secretary of defense for cyber policy
Malicious actors in cyberspace pose a complex and dynamic set of threats that leaders and policymakers will need to address in the 21st century. The cyber threat against United States’ interests is increasing in severity and sophistication, and it comes from state and nonstate actors alike.
Just as nation-states have advanced cyber capabilities and strategies ranging from stealthy network penetration to intellectual property theft, criminal and terrorist networks are also increasing their cyber capabilities and operations. The low cost and global proliferation of malware have lowered barriers to entry in this domain and have made it easier for smaller actors to strike out maliciously in cyberspace. The world is also seeing blended state and nonstate threats in cyberspace, which not only have the potential to undermine stability, but complicate potential responses for the U.S. Department of Defense (DoD) and for others.
During the last few years, numerous high-profile malicious cyber or cyber-enabled events have grabbed the public’s attention, including incidents that have affected Sony Pictures Entertainment, the U.S. Office of Personnel Management, the DoD unclassified Joint Staff network, the French TV5 Monde network and the Ukrainian power grid. These continuing high-profile incidents make it only natural for national security professionals and international relations scholars to question whether anything can be done to deter malicious activity in cyberspace.
This is an important question that the DoD is working to answer, since we rely heavily on cyberspace for virtually everything we do. The DoD has three missions in cyberspace. The first is defending our own networks, systems and information. Second is to defend the U.S. and its interests against cyber attacks of significant consequence. Our third mission is to provide integrated cyber capabilities, including offensive cyber options, which, if directed by the president, can augment our other military capabilities.
Fostering Cyber Deterrence
In the face of the growing cyber threat and the need to fulfill our cyberspace missions, the DoD is developing and implementing a comprehensive strategy to deter cyber attacks against the department and U.S. interests. One challenge is ensuring that the strategy is broad enough to address the wide variety and number of threat actors in cyberspace. The strategy must also take into account the types of cyber attacks we are trying to deter. Given the sheer scale of cyberspace and the broad availability of malware, the DoD must face the reality that it is impossible to deter all cyber attacks. As the DoD continues to build its Cyber Mission Force and its overall cyber capabilities in the face of the escalating threat, the DoD believes that deterring cyber attacks on U.S. interests will best be achieved through the totality of U.S. actions and capabilities. This includes key elements and tools such as U.S. declaratory policy, enhanced indications and warning capabilities, defensive posture, effective response procedures, and the overall resiliency of U.S. networks and systems. Deterring state and nonstate groups in cyberspace requires a whole-of-government approach, and the DoD will play its part as one of the instruments of national power available to the president.
Deterrence works by persuading a potential adversary that it will suffer unacceptable costs in response to an attack (cost imposition) and by decreasing the likelihood that any attack will succeed (denying the objective). As such, the U.S. must be able to declare and display effective response capabilities to deter an adversary from initiating a cyber attack; develop effective defensive capabilities to deny a potential cyber attack from succeeding; and strengthen the overall resilience of U.S. systems in the event that a cyber attack does penetrate our defenses. As part of an effective deterrent posture, the U.S. requires strong intelligence, cyber forensics, and indications and warning capabilities to reduce anonymity in cyberspace and increase confidence in attribution. Here is a closer look at the four points that are the foundation for fostering deterrence:
Response: Through various documents, reports, and public statements by the president and secretary of defense, the U.S. has articulated that it can respond to a cyber attack on U.S. interests. In such a case, the effects of a cyber attack are assessed on a case-by-case and fact-specific basis by the president and his national security team. Significant consequences resulting from an attack may include loss of life, property destruction, or significant adverse foreign policy and economic consequences. If a decision is made by the president to respond to a cyber attack on U.S. interests, the U.S. reserves the right to respond at a time, in a manner, and in a place of our choosing, using appropriate instruments of U.S. power. Adversaries should know that our preference for deterrence and our defensive posture do not diminish our willingness to use military options — including cyber capabilities — when necessary. And when we do take action — defensive or otherwise, conventionally or in cyberspace — the DoD will operate in accordance with international and domestic legal obligations.
Denial: The DoD is working to increase its defensive capabilities to defend its networks and to defend the nation from sophisticated cyber attacks. In doing so, we are working with other departments and agencies, international allies and partners, and the private sector to strengthen deterrence by denial through improved cyber security.
When U.S. Secretary of Defense Ashton Carter introduced the DoD Cyber Strategy in 2015, he mentioned an example of a recent malicious cyber incident in which the sensors that guard DoD unclassified networks detected Russian hackers accessing one of our networks through an old, unpatched vulnerability. Although it is worrisome that the intruders were able to achieve some access to our unclassified network, we were nevertheless able to identify the compromise quickly, and we had a team of incident responders hunting down the intruders within 24 hours. After obtaining valuable information about their tactics and analyzing their network activity, we kicked them off our network in a way that minimized their chances of returning. This story has a happy ending, but that is not the only reason Secretary Carter chose to tell it — publicly discussing our ability to rapidly detect, attribute and expel an intruder from our military networks also has an important deterrent effect.
Resilience: Because we cannot guarantee that every cyber attack will be denied, the DoD is investing in resilient and redundant systems so that we are able to continue our vital operations in the face of disruptive or destructive cyber attacks. A vital component of such “mission assurance” is identifying and protecting the networks and systems that are most critical to DoD operations.
More broadly, other agencies of the government must also work with critical infrastructure owners and operators and the private sector to develop resilient and redundant systems that can withstand attacks. Such measures can help convince potential adversaries of the resiliency of U.S. networks and systems and, therefore, the futility of attempting cyber attacks.
Attribution: The perception that anonymity prevails in cyberspace helps to enable malicious cyber activity by state and nonstate groups. Improved attribution capabilities are therefore a fundamental part of an effective cyber deterrence strategy. The DoD and the U.S. intelligence community have invested significantly in all-source collection, analysis and dissemination capabilities, which serve to reduce the anonymity of activity in cyberspace. Attribution enables the DoD and other departments and agencies to more confidently conduct response and denial operations against an incoming cyber attack.
Attribution — both in public and in private — can play an important role in dissuading cyber actors from conducting attacks. The DoD will continue to collaborate closely with the private sector and other departments and agencies of the U.S. government to strengthen attribution capabilities. This work will become an even more important factor in deterrence as activist groups, criminal organizations and other actors acquire advanced cyber capabilities in the future.
Many pundits and scholars refer to the role of deterrence in preventing nuclear conflict during the Cold War. Although many often draw parallels to the success of deterrence strategy during the Cold War, we must remember that deterrence in cyberspace today is much more complex. Because of the high cost and complexity of nuclear weapons, there were only a few actors — all nation-states — that needed to be deterred. That is not the case today in cyberspace, where even sophisticated malware can be found on the Internet with little effort and at low cost. As we seek to apply the lessons of the Cold War to the modern threat of cyber attacks, we also need to remember that the concept and practice of deterrence in the nuclear age did not emerge fully formed overnight, but instead developed over time. So, too, the DoD will continue to build deterrence by investing in the development of the Cyber Mission Force and its associated capabilities. Response, denial, resilience and attribution are the foundations upon which our deterrent posture rests.