With a barrage of attacks regularly hammering the private sector and nearly every U.S. federal agency, there is a strong need for government policies within an overarching cyber deterrence strategy. The impacts of network intrusions go well beyond the immediate loss of data, but ripple into malicious influence over public opinion, undermine global economic competitiveness, or even dull military supremacy.
Furthermore, the cyber domain is evolving, and threats are increasing in scope and disruptive capacity. Lieutenant General James Clapper, former Director of National Intelligence and Cipher Brief expert told a Senate Armed Services Committee hearing on cyber policy, strategy, and organization, Thursday that, “In the past we have taken some comfort in that the entities that could do us the most harm – meaning Russia and China – probably have lesser intent. While the entities that have more intent – hacktivists, criminals, and terrorists – have less of a capability.” The problem, according to Clapper, is that the “gap between the two is closing” and there is an “insidious increase” in cyber activity against the United States.
Part of the challenge, particularly regarding adversaries like Russia, China, Iran, and North Korea, has been the absence of a coherent deterrence strategy. This has become abundantly clear with Russia’s continual interference in democratic political processes, even after being slapped with sanctions and the expulsion of 35 Russian Embassy personnel following their meddling in last year’s U.S. presidential election.
To more effectively communicate a deterrence strategy to its adversaries, the U.S. needs to be “more demonstrative of offensive cyber capabilities,” Admiral James Stavridis, the former NATO Supreme Allied Commander and a Cipher Brief expert, told the panel. “We don’t need to reach into our cyber toolkit every time we are cyber attacked, but in our zeal – appropriate enough – to try and protect our cyber tools, our sources, and our capability, we can lead some to underestimate our ability to retaliate,” Stavridis said.
To show how the U.S. could demonstrate its offensive cyber capabilities to deter adversaries, Stavridis said the U.S. could go after bank accounts of Russian oligarchs connected to the Kremlin, or even escalate further to targeting the offshore accounts of Russian officials, including even Russian President Vladimir Putin – either diminishing them or revealing them to the Russia public. Even now, there are anti-corruption protests in Russia as a result of documents revealing bribery and opulence – including by Russian Prime Minister Dmitry Medvedev – found within the compromised email accounts of Russian officials leaked by a anonymous collective known as Shaltai Boltai, Russian for “Humpty Dumpty.”
General Michael Hayden, the former director of the NSA and CIA and a Cipher Brief expert, said that by undermining U.S. and European electoral processes, Russia is “using tools to attack the foundations of democracy.” This means that the U.S. can, in turn, “use tools to attack their foundations of autocracy,” such as introducing anonymizing tools that make it more difficult for the Russian government to track their own citizens.
While responding to attacks with its own cyber operations could have a deterrent effect, Clapper told the hearing that “we should use all the tools available – diplomacy, economic sanctions, and military power.” Otherwise, by only responding to cyber with cyber, the U.S. is “letting them define the terms of engagement.”
Furthermore, Clapper said that even with consideration of a cyber deterrence strategy, building defense and resilience is paramount to developing offensive cyber capabilities to respond, because otherwise, “We are always going to doubt our ability to withstand a counter retaliation.” For instance, when Iran launched a volley of denial of service attacks against U.S. financial institutions in late 2011, the Intelligence Community decided not to respond out of fear of a Iranian follow-on attack that could cause further, disproportionate damage. “Defense and resilience must,” according to Clapper, “be the pillars of whatever policy and strategy we adopt,” as they are “the very foundation of deterrence.”
Without a strong defense, the U.S. will be hindered in using offensive tools because of a lack of confidence in its resilience against counter-retaliation attacks – limiting its ability to forcibly respond to adversaries’ incursions.
Perhaps one of the most tangible steps that can be taken toward establishing a cyber deterrence strategy is alluded to in a question by Armed Services Chairman John McCain (R-AZ), who asked whether over-classification undermines “our ability to talk openly and honestly about cyber deterrence?”
“Yes, we over-classify,” said Clapper, who added, however, that, “Transparency is a double-edged sword.”
Cyber capabilities have largely remained under the NSA’s purview for digital intelligence collection efforts. As Hayden said, “Part of the classification problem is that our cyber thinking in the armed forces, and in the government, is rooted in the American intelligence community.”
Now, with the desire for offensive, intentionally attributable cyber capabilities to be part of a broader strategy of deterrence, there is a push to separate the NSA’s intelligence role from Cyber Command’s military mission. Here, the opinion was unanimous among the three witnesses – it is time to separate Cyber Command from the NSA. “Let me join consensus here,” Hayden stated, “I think there is a point in time, and I don’t think it is very far away, where the structures have to adjust to changing capacities, and Cyber Command and NSA have to be separated.”
These steps – building out defense and resilience across the private and public sectors, further declassification, and demonstrating U.S. offensive cyber capabilities through an independent Cyber Command – could be the beginning of a coherent U.S. deterrence strategy in cyberspace.
Levi Maxey is a cyber and technology analyst at The Cipher Brief. Follow him on Twitter @lemax13.