Time and time again companies, organizations, and government agencies have proven that they can’t completely secure their computer networks from hackers – particularly nation-states with the resources to pursue access persistently. Instead of focusing solely on network defense, the United States can adopt a deterrence strategy that dissuades foreign governments from targeting U.S. systems in cyberspace. The Cipher Brief’s Levi Maxey spoke with Michael Sulmeyer, the Director of the Belfer Center’s Cyber Security Project at Harvard University, about what a deterrence strategy might look like, and what it can and cannot do to prevent malicious cyber activity from targeting U.S. institutions.
The Cipher Brief: What are some of the similarities and differences between nuclear deterrence and cyber deterrence?
Michael Sulmeyer: There are many more differences than similarities. The biggest difference is that we have a very clear sense in the nuclear space of what we are trying to deter – specifically a nuclear attack against the United States. We also have some clarity on how we were going to deter it: through the use of our own nuclear forces. When we think about cyberspace, however, we do not have a consensus about what exactly we are trying to deter, and the means through which we could even try to deter are very diverse. We don’t have consensus about which means are appropriate to achieve what kind of goals.
TCB: In the cyber domain there is a plethora of actors, and there may be different ways to deter different actors. How can we tailor our deterrence to specific actors?
Sulmeyer: A lot of scholars and practitioners have used the idea of tailored deterrence in different ways. When I hear the term, I think about being very clear about not just what conduct you are trying to deter, but also who you are trying to deter from doing it, and then tailoring ways to impose costs based on that adversary in particular. You may actually have to deal with the problem – which is the threat of cyber attacks against the United States – not just according to deterrence, but also through a combination of defense, prevention, and resilience, which are all different from deterrence. You need a whole suite of steps to prepare yourself for dealing with the problem.
TCB: Can you compare cyber deterrence to criminal deterrence?
Sulmeyer: Deterring crime is a better way to think about it. You become more focused on reducing the incidence of the problem as opposed to eliminating it. Any use of nuclear weapons was to be deterred, whereas with the vast majority of crime, what you are really trying to do is signal to would-be criminals that there are going to be costs, but you know there are still going to be people who perpetrate crimes.
TCB: Signaling intent to respond has traditionally been part of deterrence frameworks. Could you talk about avenues of signaling that the U.S. will retaliate for cyber attacks?
Sulmeyer: Signaling within the domain of cyberspace is very hard. You have to hope that the guy reading the log file on the other end picks up on your attempt at signaling, interprets it correctly, passes that to someone who passes that to someone who can make a decision, and that they share that interpretation and all of that is in a timely manner. That is very difficult to do. Another reason why that is so difficult is because it is not clear that such actions actually impose costs that are meaningful to the other country. For example, how confident are we that sanctioning North Koreans for hacking is interpreted by their leadership as a compelling cost? It is not clear that such a signal is particularly meaningful to them.
TCB: What does timeliness have to do with deterrence?
Sulmeyer: You don’t want to let too much time elapse between the act and the cost imposed. The more time that elapses, the more explanation that you really have to try to hammer home to make clear to the other country that the costs you are imposing are because of what the other country did six, seven, eight, nine months ago. The indictment of the Iranian hackers two years ago, for example, was for something that happened years before that. That makes it a little more tenuous than if the U.S. had been able to get that done in a month or two. But I think the myth is that it has to be instantaneous – that somehow responding to and deterring cyber attacks happens at machine speed. It doesn’t have to be that second, that hour, or that day.
TCB: Is there a threshold of activity in cyberspace beyond which countries have agreed that it is not ok to go?
Sulmeyer: It does seem right now that there is almost a tacit or implicit understanding that the threshold to be observed is to not threaten life and the physical destruction of property through cyber attacks. We are getting close with things like this by disrupting power distribution and transmission – the incidents in Ukraine come to mind. But that is the threshold that countries – either for reasons of deterrence or just not having the intent – are largely observant of.
TCB: Some cite as a success story the agreement President Barack Obama and Chinese President Xi Jinping made in 2015 to stop economic espionage. It came against the backdrop of indictments and the threat of sanctions. Could something like this work with other countries?
Sulmeyer: I would hesitate to champion deterrence too much in this regard, if only because I think it was the indictment of the five PLA officers, rather than the deal, that resulted in the change in behavior that had anything to do with the United States. Another development that resulted in the change of behavior was purely internal to China – the desire for consolidating the forces and the actors within China conducting cyber activities. Regardless of what cost the United States threatened to impose, or tried to impose, and how that was felt by the Chinese, they had their own reasons for changing their behavior to whatever extent we observed that they changed it.
TCB: Does the U.S. feel a sense of responsibility for deterring cyber attacks against critical infrastructure in allied countries that are strategically important to the United States?
Sulmeyer: I don’t think there is anything explicit that would actually put the United States on the hook where there would be an expectation from a partner or an ally in that regard. But under the surface you see a lot of attempts to help victims or would-be victims abroad through different forms – not just information sharing, but trying to get ahead of the problems. Sometimes is happens through traditional channels – typical military-to-military relationships that used to deal with, for example, training non-commissioned officers. You could imagine it evolving to include some things about prevention of malicious cyber activities.
It can also happen between private cyber entities with no role for the government in actually providing that kind of assistance. So while there is nothing formal that would implicate that kind of extended deterrence, that kind of umbrella, I see a lot of acknowledgement that there is a need to help our allies and our partners.
TCB: Are offensive cyber capabilities in the United States overly classified and, if they were more widely known, could those capabilities signal others to maybe think twice about attacking the U.S. in the cyber domain?
Sulmeyer: There is a belief that if the United States could demonstrate more of its offensive capability, that would deter others. I worry about that mindset a lot. Many countries believe they know about U.S. cyber capabilities. Certain unauthorized disclosures might come to mind. True or not, those reports shape perceptions.
TCB: What is missing in the conversation about deterrence?
Sulmeyer: There are real threats right now in terms of intrusions and being held at risk, and deterrence is not going to be the be-all end-all. It is comfortable as a strategic concept to a lot of people, but it has to be part – but only one part – of a package of policies and decisions that we make in the United States about how we are really going to keep the country safe.
Michael Sulmeyer is the Belfer Center’s Cyber Security Project Director at the Harvard Kennedy School. He is also a Contributing Editor for Lawfare. Before Harvard, he served as the Director for Plans and Operations for Cyber Policy in the Office of the Secretary of Defense. There, he worked closely with the Joint Staff and Cyber Command on a variety of efforts to counter malicious cyber activity against U.S. and DoD interests. For this work, he received the Secretary Medal for Exceptional Public Service. Previously, he worked on arms control and the maintenance of strategic stability between the United States, Russia, and China.