Cyber Secrecy Undermines Deterrence

By Lieutenant Blake D. Herzinger, U.S. Navy

From Passive to Active Defense

As postured today, the DOD’s cyber warfare enterprise focuses on defense of military networks through security measures and passive threat monitoring, with a loose commitment to offensive cyber response measures through computer network defense (CND) and law enforcement. Operational relationships among the primary guarantor of U.S. network security (Department of Homeland Security), U.S. DOD network security, and the primary protector of U.S. secret networks (National Security Agency) are still unclear. Problems are complicated further by subordinate cyber organizations within the DOD, along with various other federal agencies such as the FBI, Department of the Treasury, and Department of Energy. A 2016 Government Accountability Office report indicated that even after the flurry of cyber activity within the federal government and military, the DOD has yet to define how it will support civilian authorities in the event of cyber attacks. No organization—options include U.S. Northern Command or U.S. Cyber Command—has been designated to take lead in DOD support for cyber contingencies. 5 Our military’s professed “limited and specific role to play in defending the nation against cyber attacks of significant consequence” shifts the onus for 90 percent of network defense onto civilian enterprise. 6

U.S. nuclear weapons development revolutionized warfare because we were the first, there was little defense, and no possible proportionate retaliation existed against them. Cyber warfare’s revolution comes in the form of a zero-day exploit, rather than a looming mushroom cloud. It is the zero-day exploit—a cyber warfare tool built exclusively to capitalize on a previously undiscovered weakness in an opponent’s defenses—that is the indefensible weapon of today’s war.

Dr. Angelos Keromytis of the Defense Advanced Research Projects Agency warns that “defenders must move beyond traditional static defenses to exploit the natural advantages of their IT systems and expertise.” 7 Passive and reactive signature-based computer security requires a new update every eight seconds to keep pace with known malware exploits, but it does not provide protection against zero-day exploits and leaves the DOD networks consistently vulnerable to our adversaries. A passive defense, no matter how strong, ultimately will fail in the face of a concentrated hack. Continued reliance on a cyber Maginot Line is, as U.S. Army General George S. Patton so eloquently stated, “a testament to the stupidity of man.”

Active cyber defenses involve the capability to identify the source of a cyber attack, then using offensive tools against the perpetrator. These tools are scalable and can range from simply disrupting the ongoing attack to crippling systems used in the hack. Some hesitance to develop a cyber deterrent stems from fear of inviting a more serious counterattack. In answer to this, one must refer to nuclear game theory. Many detractors of nuclear deterrence postulated that presence of nuclear weapons simply would incite more low-level conflict; instead, the presence of a deterrent served to curtail conflict, as rational actors sought to avoid situations that might escalate into a nuclear exchange. Rather than retaliate, most states likely will concentrate on effective cyber enforcement within their own borders to prevent use of active defenses against them.

Current enforcement methods present another obstacle to a functional strategy of active-defense cyber deterrence. The lines between cyber warfare, cyber espionage, and cyber crime are indistinct. Most cyber offenses are investigated and prosecuted by law enforcement agencies, rather than addressed as threats to strategic assets (the U.S. economy and its Internet backbone). For cyber attacks originating outside the United States, legal efforts only can take effect to the extent that the state of origin participates in an investigation, which, even among U.S. allies, is often unenthusiastic. When examining state-backed cyber attackers (particularly in Russia, China, and Iran), the level of real cooperation is absolute zero.

Historically, it has been difficult to ascertain the identity of malicious cyber actors, given that a hallmark of skilled attacks is the ability to mask signatures and identity. Use of the Onion Router (Tor), a series of routers commonly used by criminals, whistleblowers, and Internet-privacy advocates to ensure anonymity, has provided a certain level of security for malicious actors. Anonymity, combined with the low risk of prosecution, has lent a guise of invulnerability to international hacker groups. De-anonymization of cyber actors is not impossible, however, and can be executed with enough precision to identify at least the country of true origin, if not the individuals involved. 8

Deny Cyber Safe Havens

In a 2015 address delivered at West Point, Admiral Mike S. Rogers, Commander U.S. Cyber Command, explained that “the concept of deterrence in the cyber domain is relatively immature.” 9 He added that “when you look at the application of cyber as an offensive tool, it must fit within a broader legal framework—the Law of Armed Conflict, international law, the norms we have come to take for granted in some ways in the application of kinetic force.” 10 Rogers admitted, however, “we’re clearly not there yet.” 11 Unfortunately for us, our adversaries are “there,” and have displayed a willingness to take advantage of the lack of consequences for the conduct of offensive cyber operations against the United States.

In fact, international law already supports the use of active defenses. It generally is accepted that Article 51 (governing self defense) of the United Nations Charter applies to cyber warfare. States undeniably have a responsibility to prevent use of their territory by non-state actors to launch international attacks. Cyber expert Jeffrey Carr states, “traditionally, this duty only required states to prevent illegal acts that the state knew about beforehand; however, this duty has evolved in response to international terrorism and now requires states to act against groups generally known to carry out illegal acts.” 12 United Nations Security Council Resolution 1373 directs states to “deny safe haven” to terrorist actors. It does not require a great leap to apply this logic to the question of cyber attacks. The DOD, in concert with the U.S. State Department, should codify a response to “sanctuary states” that repeatedly allow cyber attacks to be conducted from their territory. If state responsibility or complicity in frequent cyber attacks is proven, then use of active defense cyber deterrence is easily justifiable to stop future cyber attacks originating from inside that state’s borders.

Clear and Codified Capabilities

Cyberspace underpins both the U.S. economy and our nation’s security. It is as much a strategic resource as national oil reserves, airspace, or any other physical asset that would be defended vigorously if infringed upon by a foreign actor. The Department of Defense must establish—or if it has established it must reveal—its capability to counterattack decisively in the cyber domain. When the United States has a clear and codified capability to exact a cost on attackers in cyberspace, those attackers will be forced to reconsider their actions or face dire consequences.

1. Ponemon Institute LLC, “2015 Cost of Cyber Crime Study: Global,” Hewlett Packard Enterprise, October 2015, .

2. McAfee Corporation, “Net Losses: Estimating the Global Cost of Cybercrime,” Center for Strategic and International Studies, June 2015, .

3. Ibid.

4. Ibid.

5. Joseph W. Kirschbaum, “DOD Needs to Clarify Its Roles and Responsibilities for Defense Support of Civil Authorities during Cyber Incidents,” U.S. Government Accountability Office, April 2016, .

6. U.S. Department of Defense, “The DoD Cyber Strategy,” features/2015/0415_cyber- strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf

7. Angelos Keromytis, “Active Cyber Defense,” Defense Advanced Research Projects Agency, .

8. Occupy the Web, “Is Tor Broken? How the NSA Is Working to De-Anonymize You When Browsing the Deep Web,” Wonder How To, 2014, .

9. Cheryl Pellerin, “Rogers Discusses Cyber Operations, ISIL, Deterrence,” DOD News-Defense Media Activity, 2 March 2015, .

10. Ibid.

11. Ibid.

12. Jeffrey Carr, Cyber Warfare 2nd Edition (Sebastopol, CA: O’Reilly Media Inc., 2011), 48.

Lieutenant Herzinger, an Intelligence Officer, serves as the Brooks Center for Maritime Engagement’s (BCME) only liaison officer in Southeast Asia, where he conducts information-sharing and relationship-building activities among U.S. allies and partners in U.S. 7th Fleet. BCME addresses the CNO’s priority strategic information requirements concerning security threats to our global maritime environment. This contribution won second prize in the cyber essay contest sponsored with Hewlett Packard Enterprise.


Conferences and Events

WEST 2019

Wed, 2019-02-13 - Fri, 2019-02-15

Sharpening the Competitive Edge: Are We Ready to Compete, Deter, and Win Globally? Wednesday, 13 February - Friday, 15 February...

2019 U.S. Naval Institute Member Event

View All

From the Press

23 January - Book Talk

Wed, 2019-01-23

9 February - Presentation

Sat, 2019-02-09

Why Become a Member of the U.S. Naval Institute?

As an independent forum for over 140 years, the Naval Institute has been nurturing creative thinkers who responsibly raise their voices on matters relating to national defense.

Become a Member Renew Membership