Deterrence is achieved only when an adversary believes you have and are determined to use an assured second-strike capability. As Dr. Strangelove teaches us, having a secret second-strike capability not only will fail to discourage attacks, but in fact may invite them. Our nation’s reticence to articulate a clear threshold for conduct of offensive cyber attacks only has served to embolden our adversaries while creating a permissive environment for attacks on the U.S. economy and military targets.
Costs of Inaction
A Ponemon Institute study concluded that cyber warfare, espionage, and crime cost the average American company (drawn from a representative sample of 252 global corporations) approximately $15.4 million dollars in 2015.1 Cyber-related losses have more than doubled in only five years. The maximum costs of any cyber attack against one of the sampled corporations, for example, went from $1.9 million in 2010 to $65 million in 2015. Another study found that intellectual property (IP) theft, a common cybercrime, costs U.S. corporations $200-250 billion annually.2 Loss of military technology IP can have a compounded effect, combining loss of technological military advantage with serious financial losses. The study also warns that the United States could lose up to 200,000 jobs if cyber crime continues to damage our economy.3
Attacks against American companies and the U.S. government are increasing, both in frequency and scope. North Korea’s hack on Sony in 2014 cost the company approximately $35 million, while a Chinese government-backed hacker group penetrated the Office of Personnel Management, exposing the personal information of more than 21.5 million people and costing the U.S. government up to $350 million.4 These cyber attacks pose a serious risk to national security. Our responses to these attacks, however, are often muted and rarely contain tangible punitive consequences for the perpetrators.
From Passive to Active Defense
As postured today, the DOD’s cyber warfare enterprise focuses on defense of military networks through security measures and passive threat monitoring, with a loose commitment to offensive cyber response measures through computer network defense (CND) and law enforcement. Operational relationships among the primary guarantor of U.S. network security (Department of Homeland Security), U.S. DOD network security, and the primary protector of U.S. secret networks (National Security Agency) are still unclear. Problems are complicated further by subordinate cyber organizations within the DOD, along with various other federal agencies such as the FBI, Department of the Treasury, and Department of Energy. A 2016 Government Accountability Office report indicated that even after the flurry of cyber activity within the federal government and military, the DOD has yet to define how it will support civilian authorities in the event of cyber attacks. No organization—options include U.S. Northern Command or U.S. Cyber Command—has been designated to take lead in DOD support for cyber contingencies.5 Our military’s professed “limited and specific role to play in defending the nation against cyber attacks of significant consequence” shifts the onus for 90 percent of network defense onto civilian enterprise.6
U.S. nuclear weapons development revolutionized warfare because we were the first, there was little defense, and no possible proportionate retaliation existed against them. Cyber warfare’s revolution comes in the form of a zero-day exploit, rather than a looming mushroom cloud. It is the zero-day exploit—a cyber warfare tool built exclusively to capitalize on a previously undiscovered weakness in an opponent’s defenses—that is the indefensible weapon of today’s war.
Dr. Angelos Keromytis of the Defense Advanced Research Projects Agency warns that “defenders must move beyond traditional static defenses to exploit the natural advantages of their IT systems and expertise.”7 Passive and reactive signature-based computer security requires a new update every eight seconds to keep pace with known malware exploits, but it does not provide protection against zero-day exploits and leaves the DOD networks consistently vulnerable to our adversaries. A passive defense, no matter how strong, ultimately will fail in the face of a concentrated hack. Continued reliance on a cyber Maginot Line is, as U.S. Army General George S. Patton so eloquently stated, “a testament to the stupidity of man.”
Active cyber defenses involve the capability to identify the source of a cyber attack, then using offensive tools against the perpetrator. These tools are scalable and can range from simply disrupting the ongoing attack to crippling systems used in the hack. Some hesitance to develop a cyber deterrent stems from fear of inviting a more serious counterattack. In answer to this, one must refer to nuclear game theory. Many detractors of nuclear deterrence postulated that presence of nuclear weapons simply would incite more low-level conflict; instead, the presence of a deterrent served to curtail conflict, as rational actors sought to avoid situations that might escalate into a nuclear exchange. Rather than retaliate, most states likely will concentrate on effective cyber enforcement within their own borders to prevent use of active defenses against them.
Current enforcement methods present another obstacle to a functional strategy of active-defense cyber deterrence. The lines between cyber warfare, cyber espionage, and cyber crime are indistinct. Most cyber offenses are investigated and prosecuted by law enforcement agencies, rather than addressed as threats to strategic assets (the U.S. economy and its Internet backbone). For cyber attacks originating outside the United States, legal efforts only can take effect to the extent that the state of origin participates in an investigation, which, even among U.S. allies, is often unenthusiastic. When examining state-backed cyber attackers (particularly in Russia, China, and Iran), the level of real cooperation is absolute zero.
Historically, it has been difficult to ascertain the identity of malicious cyber actors, given that a hallmark of skilled attacks is the ability to mask signatures and identity. Use of the Onion Router (Tor), a series of routers commonly used by criminals, whistleblowers, and Internet-privacy advocates to ensure anonymity, has provided a certain level of security for malicious actors. Anonymity, combined with the low risk of prosecution, has lent a guise of invulnerability to international hacker groups. De-anonymization of cyber actors is not impossible, however, and can be executed with enough precision to identify at least the country of true origin, if not the individuals involved.8
Deny Cyber Safe Havens
In a 2015 address delivered at West Point, Admiral Mike S. Rogers, Commander U.S. Cyber Command, explained that “the concept of deterrence in the cyber domain is relatively immature.”9 He added that “when you look at the application of cyber as an offensive tool, it must fit within a broader legal framework—the Law of Armed Conflict, international law, the norms we have come to take for granted in some ways in the application of kinetic force.”10 Rogers admitted, however, “we’re clearly not there yet.”11 Unfortunately for us, our adversaries are “there,” and have displayed a willingness to take advantage of the lack of consequences for the conduct of offensive cyber operations against the United States.
In fact, international law already supports the use of active defenses. It generally is accepted that Article 51 (governing self defense) of the United Nations Charter applies to cyber warfare. States undeniably have a responsibility to prevent use of their territory by non-state actors to launch international attacks. Cyber expert Jeffrey Carr states, “traditionally, this duty only required states to prevent illegal acts that the state knew about beforehand; however, this duty has evolved in response to international terrorism and now requires states to act against groups generally known to carry out illegal acts.”12 United Nations Security Council Resolution 1373 directs states to “deny safe haven” to terrorist actors. It does not require a great leap to apply this logic to the question of cyber attacks. The DOD, in concert with the U.S. State Department, should codify a response to “sanctuary states” that repeatedly allow cyber attacks to be conducted from their territory. If state responsibility or complicity in frequent cyber attacks is proven, then use of active defense cyber deterrence is easily justifiable to stop future cyber attacks originating from inside that state’s borders.
Clear and Codified Capabilities
Cyberspace underpins both the U.S. economy and our nation’s security. It is as much a strategic resource as national oil reserves, airspace, or any other physical asset that would be defended vigorously if infringed upon by a foreign actor. The Department of Defense must establish—or if it has established it must reveal—its capability to counterattack decisively in the cyber domain. When the United States has a clear and codified capability to exact a cost on attackers in cyberspace, those attackers will be forced to reconsider their actions or face dire consequences.
1. Ponemon Institute LLC, “2015 Cost of Cyber Crime Study: Global,” Hewlett Packard Enterprise, October 2015, https://ssl.www8.hp.com/ww/en/secure/pdf/4aa5-5207enw.pdf.
2. McAfee Corporation, “Net Losses: Estimating the Global Cost of Cybercrime,” Center for Strategic and International Studies, June 2015, www.mcafee.com/sg/resources/reports/rp-economic-impact-cybercrime2.pdf.
3. Ibid.
4. Ibid.
5. Joseph W. Kirschbaum, “DOD Needs to Clarify Its Roles and Responsibilities for Defense Support of Civil Authorities during Cyber Incidents,” U.S. Government Accountability Office, April 2016, www.gao.gov/assets/680/676322.pdf.
6. U.S. Department of Defense, “The DoD Cyber Strategy,”
http://www.defense.gov/Portals/1/ features/2015/0415_cyber- strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf
7. Angelos Keromytis, “Active Cyber Defense,” Defense Advanced Research Projects Agency, www.darpa.mil/program/active-cyber-defense.
8. Occupy the Web, “Is Tor Broken? How the NSA Is Working to De-Anonymize You When Browsing the Deep Web,” Wonder How To, 2014,
http://null-byte.wonderhowto.com/how-to/is-tor-broken-nsa-is-working-de-anonymize-you-when-browsing-deep-web-0148933.
9. Cheryl Pellerin, “Rogers Discusses Cyber Operations, ISIL, Deterrence,” DOD News-Defense Media Activity, 2 March 2015, www.defense.gov/News-Article-View/Article/604201.
10. Ibid.
11. Ibid.
12. Jeffrey Carr, Cyber Warfare 2nd Edition (Sebastopol, CA: O’Reilly Media Inc., 2011), 48.