The Nuanced, Opaque World of Cyber Deterrence

“Does she, or doesn’t she?” Still from a 1957 Clairol hair color commercial.

“Does she, or doesn’t she?” Dye her hair… of course.  This sales hook from Clairol became one of the most famous TV slogans of all time. What’s hilarious about it, too, is that these early commercials were in black and white, so it was nearly impossible to tell whether she did, or didn’t, even if you were paying close attention.

Call me weird, but this commercial popped into my head as I explored the United States’ cyber deterrence capability. Looking at recent events, one might also ask “does she, or doesn’t she?” And, like a black and white depiction of a hair dye job, it’s a little difficult to parse.

The apparent deficiency of American cyber deterrence

The United States has been the subject of some brazen cyber attacks in the last year, many of which can be traced to nation state actors like Russia and China. Why are our adversaries feeling so bold to attack us like this? The history of war suggests that enemies attack when they do not fear a reprisal. Russia and China could launch missiles at us if they wanted, but they wouldn’t be so stupid because we could fire more, better missiles right back at them. Thus, deterrents keep the peace. Cyber war does not seem so balanced for us right now. What’s going on?

Does the US have a cyber deterrent?

I put the “does she, or doesn’t she?” question to four cyber war experts. Their answers help paint a picture of a complex new world that blurs espionage with warfare. Yes, the US has a cyber deterrent. How it works, exactly, is of course classified, but the outlines are visible. The strength of that cyber deterrent, however, is hard to gauge.

Captain Jeffrey Buss, USN

According to Captain Jeffrey Buss, USN, Deputy Director of the US Naval Academy’s Center for Cyber Security Studies, “Cyber Command is about to become a COCOM, so I would say the U.S. has taken steps to provide a cyber deterrent.  One of the issues, however; is that in order to be an effective deterrent our adversaries have to fear repercussions for their actions in Cyber.  I don’t believe they do currently.”

Dr. Aaron Brantly, a Cyber Policy Fellow at The Army Cyber Institute, explained, “The US has made clear that it will consider any tool and will respond at a time and place of its choosing should a cyber attack warrant such a response. This really only works for catastrophic level attacks and it not useful for anything below the highest threshold. This standard of deterrence is also accepted by NATO. The delineation of what is a high intensity attack remains undefined and subject to interpretation. There is a real misconception that we must respond to a cyber attack with a cyber attack, this could not be further from the truth.” International law dictates that a response should be proportional but does not have to be equivalent. The problem using a cross domain response as a deterrent mechanism is new ground beyond sanctioning and risks potential escalation.We are not alone, however. Buss added, “At the international level there’s a NATO cooperation agreement, under Article 5 of NATO, if one of us is attacked, it’s as if we’re all attacked – which was triggered after 9/11.  There’s also a NATO Cooperative Cyber Defence Centre of Excellence in Estonia that we participate in.  I like Peter Singers idea presented in his book ‘Cybersecurity and Cyberwar What Everyone Needs to Know’ that nations need to band together like we did against the Barbary Pirates.  The U.S. Navy was formed to counter this threat, it would seem a good analogy of why we might need a U.S. Cyber Force that was aligned with partner nations to rid the world of Cyber Crime.”

The attribution problem

Morgan Wright, a cyber security expert who served at the State Department, raised one of the thorniest issues in cyber deterrence, the problem of attribution. Cyber attacks almost always come from entities that are loosely connected to nation states, if they can be identified at all. Unlike a clear act of war, like dropping a bomb, cyber attacks require an investigation and an opinion on who actually attacked us.

Morgan Wright

He added an insight, “The problem is too, is perception. People want to hear something’s being done. If the Russians invaded Florida, we would invade back. You’d hear it in the news. There’d be jet fighters, there’d be tanks.”Wright offered a solution, commenting, “If we could come up with a policy, even if it’s not always right, but sometimes you just have to start with a policy that says, ‘Hey, we may be wrong, but if X happens, we’re going to blame you, and if Y happens, we’re going to blame this guy.’ I think at some point you start putting a line out there in cyberspace that says, ‘If you cross it, there’s going to be repercussions.’

Captain Buss spoke to the attribution problem, saying, “Assured Identity and operationalizing authentication I believe will help ensure we can provide nonrepudiation, but we are not there yet and users across the world still operate with a certain level of impunity.  We either need to remove that impunity or set up a secured network where you do business and another that you use for leisure.”

Cyber norms, CNE and CNA

Dr. Kenneth Geers of COMODO Security

If this all weren’t complicated enough, there’s also the matter of “cyber norms,” a term used by Dr. Kenneth Geers of COMODO Security and The Atlantic Council. Dr. Geers pointed out that the international community has different “norms” concerning Computer Network Exploits (CNE), which is essentially breaking into the enemy’s networks for the purpose of espionage and Computer Network Attacks (CNA), which are destructive and might even lead to physical damage. “The problem with the NATO rules and the like is that someone has to die in order for it to be considered an act of war,” Geers said. “This is good, though. We need limitations on response and rules of engagement. Most countries are involved in CNE. They’re looking into the networks of their adversaries. The international community has come to a loose agreement on norms that CNE doesn’t warrant a military or serious cyber response. CNA, on the other hand, is a grey area. There, it’s more like, if you attack me, I might attack back.”

A point in time

This is a point in time for cyber deterrence. A decade from now, we might have a far better understanding of how cyber deterrents work. Unfortunately, that clarity might come at a high price, i.e. in the wake of a major series of cyber strikes and counter strikes. Does she or doesn’t she? Maybe we don’t really want to find out. At the same time, we might all feel better if we knew there was a deterrent available to stop the attacks.