Yesterday the Department of Defense released its 2015 Cyber Strategy. Its purpose is threefold according to Defense Secretary Carter: “to guide the development of DoD’s cyber forces and strengthen our cyber defense and cyber deterrence posture.” The emphasis on deterrence is significant as the previous Departmental Strategy for Operating in Cyberspace, released in 2011, did not treat the subject in like detail. At the same time, critics have characterized existing U.S. efforts to cyber-deter as “`remarkably ineffective’”. Arguably, fresh focus on the matter may prove helpful.
From the standpoint of cyber deterrence, a key passage in the new Strategy is this:
The United States must be able to declare or display effective response capabilities to deter an adversary from initiating an attack; develop effective defensive capabilities to deny a potential attack from succeeding; and strengthen the overall resilience of U.S. systems to withstand a potential attack if it penetrates the United States’ defenses. In addition, the United States requires strong intelligence, forensics, and indications and warning capabilities to reduce anonymity in cyberspace and increase confidence in attribution (p. 11).
In essence, America’s ability to respond and bounce back must be credible and made known, so as to minimize the benefits that would accrue to an attacker — thereby altering the adversary’s attack-calculus ex ante. Attribution is a critical component because it underlies “response and denial operations” (p. 12).
In order to reach these various ends in practice, the Strategy calls upon US Strategic Command to assess whether DoD is building the requisite capabilities (pp. 25-26). In doing so, STRATCOM is to build upon the work of the Defense Science Board’s Task Force on Cyber Deterrence, whose terms of reference are elaborated here. Notably, the Strategy specifies further that STRATCOM’s assessment is to incorporate the DoD capabilities needed for “deterring non-state actors that may fall outside of traditional deterrence frameworks but which could pose a considerable threat to U.S. interests” (p. 26). This is a crucial caveat given the prevailing threat spectrum.
The challenge ahead is considerable, bearing in mind that deterrence is complicated enough when it involves state actors (including those whose propensity to act rationally may not always be apparent). For a fuller analysis of the Strategy plus the Defense Secretary’s trip to Silicon Valley this week and the new initiatives he announced there, see here and here.