Deterrence by Diminishing Returns

During his testimony at a recent Senate Armed Services Committee hearing on cyber threats, former U.S. Director of National Intelligence James Clapper Jr. said it is “best to consider all instruments of national power” when responding to cyber threats. Indeed, the United States has an arsenal of response mechanisms against hackers, including economic sanctions, cyber attacks, and traditional military maneuvers. These mechanisms, however, have not reliably deterred hackers from targeting the United States. Policymakers should focus on increasing the cyber resiliency of the public and private sector to help deter future threats.

The debate surrounding the U.S. intelligence community’s findings that Russians hacked the Democratic National Committee illustrates the uphill battle U.S. policymakers face in deterring hackers. The intelligence community, looking to protect sources and methods, cannot disclose the evidence necessary to both publicly and irrefutably inculpate Russian hackers. The absence of indisputable evidence can undermine the legitimacy of any retaliatory measures meant to deter future cyber aggression. Moreover, President Trump’s intent to “move on” from the incident may only embolden Russian hackers to continue or escalate hacking and disinformation campaigns against the United States.

If Russia were the only cyber threat, U.S. policymakers could likely devise a coherent deterrence strategy based on proportional power, much like its nuclear deterrence strategy in the Cold War. However, cyber attacks are difficult to attribute and can be perpetrated by several different actors, from nation-states to international criminal enterprises to individual hacktivists. It would be nearly impossible to create a uniform strategy to deter actors who can mask their attacks and who have vastly different capabilities, motives, and incentives. As a result, the United States currently uses a case-by-case response framework, which fails to promote predictable retaliatory responses to deter cyber attacks.

Policymakers also run into significant challenges if they choose to deter hackers by using cyber weapons. Unlike measuring the physical impact of a bomb or missile, it can be difficult to gauge a cyber weapon’s impact, especially when it leads to unintended second- and third-order consequences. Thus, a retaliatory response could be under-proportional and fail to deter, or over-proportional and escalate the conflict beyond the original intent. Additionally, demonstrating retaliatory capabilities—the equivalent of nuclear bomb tests in the Cold War—diminishes the deterrent’s effectiveness because the attack’s source code can be studied and thwarted after its first demonstration. (1)

Cyber resilience is a more reliable strategy to deter cyber attacks. As PW Singer explained in a recent article, “our [deterrence] strategy should be joined with an effort to build resilience, the ability to shrug off future attacks.” Resilient organizations and systems quickly respond to and recover from a cyber attack or cyber espionage campaign, thus preventing or mitigating consequences. Fewer or less severe consequences decrease a hacker’s payoff, thereby reducing the incentives to repeat the offense.

Cyber resilience can be achieved at the technical, organizational, and systematic levels. While technical resilience is vital, there are greater policy implications for organizational and systematic levels of resilience. At the organizational level, each corporation and public agency needs adept, trusted leaders who spearhead awareness and preparedness with regular cyber threat assessments and planning. Resilient entities possess top-down organizational dedication and bidirectional information sharing from the CEO to the program managers to the IT team. At the systematic level, resilient private and public sector actors share threat information to help each other quickly detect and recover from attacks. They also conduct regularly planned joint simulation exercises to improve collaborative response, mitigation, and recovery plans.

As the federal agency responsible for protecting civilian government networks and partnering with the private sector, the Department of Homeland Security (DHS) is best positioned to advance organizational and systematic cyber resilience in the public and private sectors. DHS Secretary Kelly must ensure that DHS provides agencies and private entities the resources to develop organizational resilience to cyber attacks. Specifically, DHS should create a cross sector working group to help agency and company leaders foster top-down cyber security cultures that promote cyber hygiene and implement organizational cyber attack response plans.

Additionally, Secretary Kelly must bolster systematic cyber resilience throughout federal civilian agencies and the private sector. One strategy is to promote the Automated Indicator Sharing platform, which allows real-time bidirectional cyber threat indicator sharing among federal agencies and the private sector. The more entities that “plug in” to the platform, the more resiliency is fostered across the United States as entities receive threat information to help quickly detect and recover from cyber attacks. However, the DHS January 2017 “exit memo” stated that only 74 entities joined AIS since it went live in March 2016. Secretary Kelly should lead an aggressive outreach effort to persuade more civilian agencies and private companies to join this information sharing platform.

Promoting cyber resilience will deter cyber aggressors and help both public and private US organizations to become more secure in cyberspace.

1.) For a more in-depth look into issues with cyber deterrence, see Martin C. Libicki, Cyberdeterrence and Cyberwar, Rand Corporation, 2009, available at http://www.rand.org/content/dam/rand/pubs/monographs/2009/RAND_MG877.pdf