Recent reporting has revealed that there is a growing frustration expressed by members of the U.S. Senate Armed Committee that the U.S. Department of Defense has still not established any defined cyber deterrence policy or strategy, particularly with regard to “red lines.”
In December 2016, the National Defense Authorization Act sought “a report on the military and nonmilitary options available to the United States for deterring and responding to imminent threats in cyberspace.” Since that period, it appears that little has been done to develop a deterrent strategy, a perplexing turn of events given the fact that the United States has multiple avenues from which to develop a cyber deterrence strategy that includes diplomatic, economic, military, and trade options that can be leveraged to influence foreign state behavior.
Cyber deterrence is frequently discussed at the highest levels of the U.S. government, especially as hostile cyber actions continue to increase in frequency and magnitude, and in those instances where information destruction was the intended result. These include but are not limited to the theft of substantial personal indefinable information (e.g., Equifax), intellectual property (e.g., nation states), potential involvement in presidential elections (e.g., Russia ), theft of military plans (e.g., North Korea), and destruction of data (e.g., wiper malware). Historically, such activities have typically evaded any type of state repercussion, although there has been headway made in trying to punish suspected nation state actors for their suspected involvement in them to include:
- In September 2017, the United States Cyber Command was reported to have launched a distributed denial-of-service (DDoS) attack against North Korea’s military spy agency, the Reconnaissance General Bureau.
- In 2017, using the authorities of a 2015 cyber sanction Executive Order, the U.S. government sanctioned 11 entities and individuals for engaging in support of designated Iranian actors or malicious cyber-enabled activity against the United States. Additionally under the same authority, in late 2016, the U.S. government sanctioned nine entities and individuals over their alleged interference in the election: two Russian intelligence services; four individual officers of one of the Russian services; and three companies that provided material support to the same Russian intelligence service’s operations.
Part of the problem, as intimated by one Senator, is the challenge of wanting to keep confidential how the United States’ perceives hostile cyber acts and how it will approach punishing them. This includes how it reserves the right to not only use offensive capabilities, but when to use them. Therefore, the slow-crawl toward crafting a cyber deterrence strategy can be interpreted as the U.S. not wanting to disclose all of its cards to the global community and retain some secrecy. Much of the U.S. strength in cyberspace has been that while suspected of great capability, the extent and scope of it was largely unknown. This advantage disappeared with the Snowden disclosures of alleged U.S. cyber operations, the exposure of advanced exploits and tools affiliated with the National Security Agency by the enigmatic Shadow Brokers, and its suspected involvement in the critical infrastructure-targeting Stuxnet attack against Iran.
As is the case with the global community’s inability to come to consensus on establishing norms of nation state behavior in cyberspace, the status quo favors the current operational environment where governments conduct offensive cyber actions as they please. Being renowned as a cyber power, having not only the capability to launch various levels of sophisticated cyber attacks, but also being able to launch them whenever it deems them in its national security interests, is advantageous. This flexibility allows the government to unilaterally act without proof of attribution or the need of international support of approval.
However, like any double-edge weapon, continuing to postpone the development of a cyber deterrence strategy and publicly announcing its red lines works for and against the United States. The failure to articulate specific red lines enables the U.S. to approach each cyber incident individually and respond as it chooses on a case-by-case basis. But this also works for any adversarial government that believed the U.S. was responsible for a cyber attack against its interests. As long as it’s not required to provide incriminating evidence to an international organization like the United Nations for states to “hack back,” states need only be convinced of suspected state involvement as justification to retaliate. This is the opposite of what is needed in today’s complex geo-political cyber environment.
At their heart, red lines are unofficial markers that reference a figurative “point-of-no-return” that if crossed, might trigger substantial punitive actions in retaliatory response. They need to be articulated, socialized, and exercised for any deterrent strategy to have a chance of being effective. Critics believe that more concretely defining these ultimately provides a ceiling where hostile cyber actors may raise to but not surpass. Indeed, this sentiment was echoed by a Pentagon official believing that detailing thresholds openly invites adversaries to hover near the line without fear of retaliation, as long as it’s not breached. A second criticism is that determining red lines invariably limits what the United States would do in response to an act that falls below any set threshold, and not adhering to its own criteria risks the U.S. being perceived as “changing the rules” as it sees fit.
As the global community seeks avenues to collaborate on an array of cyber issues, it is imperative that red lines be set to provide a baseline from which responsible state behavior can be codified. Because it is difficult to discuss cyber norms or develop an effective deterrent strategy without first setting the criteria for what will be tolerated and not tolerated by foreign state actors in cyberspace. This is an important step in achieving progress toward reigning in the recklessness that dominates this borderless domain. What’s more, they don’t necessarily have to be set in stone as reflective of the complexity of the digital space, meaning they must take into consideration nuance and sliding scales when addressing scope, severity, intent, and impact of cyber attacks. Like any worthwhile effort, it should not be expected that the first round will be successful. But value is finding in what doesn’t work as what does, committing to the process, and demonstrating a willingness to apply “lessons learned” to continually refine and evolve red line/cyber deterrent planning.
This is a guest post written by Emilio Iasiello.