- The Washington Times - Thursday, May 7, 2009



Since the dawn of the nuclear age, the policy of deterrence has helped to prevent Armageddon. Today, as the United States confronts security threats in cyberspace, the applicability of deterrence has never been greater.

Policymakers in Washington should examine how the threat of military force can be used to prevent attacks in cyberspace. Regrettably, deterrence has been an underutilized element of Washington’s efforts to build a strong cybersecurity policy.

Without a cyberdeterrence policy in place, the United States can expect more and larger cyberattacks on its interests. It was reported in the Wall Street Journal on April 21 that a cyberintrusion breached the Pentagon’s $300 billion Joint Strike Fighter (JSF) program. The attackers copied critical design information which could make it easier for an adversary to defend against the aircraft in a conflict.

The Obama administration recently concluded a 60-day review of U.S. cybersecurity; details of the review have not been released, though it is believed the review focused largely on the coordination of U.S. cyberinitiatives throughout the federal government.

An effective cybersecurity strategy must include a clearly articulated cyberdeterrence policy. When responding to a cyberattack, Washington should move beyond cybercounterattacks to include full kinetic attack options.

In other words, cruise missiles or precision guided munitions should be used to retaliate against facilities where cyberattacks are launched with the complicity of an enemy state. All options should be on the table when it comes to responding to attacks in cyberspace.

A declaratory cyberdeterrence policy will not eliminate the threat of cyberattacks, but it will limit the number of attacks - particularly from state actors such as China. Lone-wolf hackers are much more difficult to deter, but deterring state-sponsored cyberattacks will make an incredibly complex problem more manageable as resources can be diverted to focusing on lone-wolf hackers. The deterrent piece of U.S. cybersecurity strategy should focus on state actors. States who sponsor cyberattacks - or allow nonstate actors to launch attacks from within their borders - should be held responsible for such attacks.

Deterrence is a simple concept to grasp, but its execution is much more difficult. This thought can be boiled down to a simple if-then statement: If you attack me, I will attack you. The message: Don’t attack me in the first place. Successful deterrence requires the ability to credibly threaten that which an adversary values and the capability to follow through if the adversary crosses predetermined red lines.

Just what are those red lines? Policymakers need to think seriously about this issue and what types of attacks warrant kinetic responses. A state-sponsored campaign should certainly be on that list. However, deciding what exactly constitutes a red line is a major policy decision which will need to be debated heavily and then clearly communicated to the rest of the world.

By telling the world that all options are on the table when it comes to responding to cyberattacks, most states will likely find the costs of launching cyberattacks against the United States unacceptably high and thus be deterred.

For this to work, however, Washington’s threats must be credible. This means that the first state to seriously attack the U.S. in cyberspace after the U.S. deterrence policy is articulated must be attacked with conventional munitions. Selected military targets that enable cyberoperations against the United States should be destroyed. Moreover, states will have a powerful new incentive to find and root out nonstate actors operating within their borders.

Of course, for cyberdeterrence to work, attribution is critical. We need to know who perpetrated the attack. Cyberattacks can be launched from anywhere, making targeting a difficult task. Unsurprisingly, this makes intelligence an absolutely critical part of the cyberdeterrence equation. Sophisticated hackers are easily able to cover their tracks. Significant investments should be made into improving our attribution capabilities.

Attacks in cyberspace are not going away. The Pentagon has spent more than $100 million in the last six months repairing damage from by cyberattacks, according to Gen. John A. Davis, deputy commander of the Joint Task Force for Global Operations. Cleaning one infected computer can cost between $5,000 and $7,000.

It is difficult to overstate our dependence on networked computers and other information technologies. Laptops, personal computers and, of course, the ubiquitous BlackBerry are the lifeblood of business, personal communications and global information sharing. And that’s just in the civilian world.

While the Pentagon’s computer networks are hardened from cyberattacks, they clearly are not impervious to intrusions.

The United States cannot afford a Pearl Harbor in cyberspace. A distributed denial-of-service campaign against critical infrastructure targets such as power, water and transportation would be catastrophic - so too would be a coordinated attack on the financial services and banking industries. Worse yet, a pre-emptive cybercampaign could be used to negate our overwhelming military advantage, making us more susceptible to the conventional military power of near-peer competitors.

Crafting an effective cyberdeterrence policy will not be easy task. But right now, our lack of a coherent deterrence policy is a hole in our overall cybersecurity strategy. We will be able to leverage some of the lessons we have learned from our six-decade policy of nuclear deterrence. However, cyberspace is a unique domain and will require fresh ideas to make a new kind of deterrence effective.

Thomas M. Skypek is a defense policy analyst. The views expressed are solely those of the author.

Copyright © 2018 The Washington Times, LLC. Click here for reprint permission.

The Washington Times Comment Policy

The Washington Times is switching its third-party commenting system from Disqus to Spot.IM. You will need to either create an account with Spot.im or if you wish to use your Disqus account look under the Conversation for the link "Have a Disqus Account?". Please read our Comment Policy before commenting.


Click to Read More and View Comments

Click to Hide