How can the U.S. deter adversaries and impose costs on enemies launching cyberattacks against the country? With new strategies and policies opening up room for more aggressive responses, the best defense just might be a good offense, Federal cybersecurity leaders discussed Thursday.
“Deterrence and what it means is rooted almost in adversary psychology, so lots of people have lots of different views. The Department (of Defense) doesn’t try to articulate a very narrow and specific definition of deterrence,” said Dr. Clark Cully, cyber advisor, Office of the Secretary of Defense. “What it says is that we seek to shape what our adversaries are doing.”
For attackers, cyberspace is the perfect medium to poke and prod the U.S. from a distance.
“Our adversaries use cyber capabilities because it allows extensive reach at low cost, under the threshold of open kinetic warfare. It’s the ultimate asymmetric weapon,” said Nancy Norton, director of the Defense Information Systems Agency (DISA) and commander of the Joint Force Headquarters Department of Defense Information Network (JFHQ–DODIN) at an event hosted by Fifth Domain.
The question of how to deter attacks in such an environment is one of the most important, yet most vexing issues for Federal cybersecurity leaders. In the public release of the DoD’s new Cyber Strategy in September, deterrence is named as one of five strategic approaches, and appears 11 times in 10 pages. In the White House’s National Cyber Strategy, building a cyber deterrence initiative is set as a goal, and the concept of deterrence is mentioned 24 times.
However, in both of those strategies the concept of “defending forward” has emerged as an option.
“There’s this spectrum of competition, and we may take a defending forward action to put sand in the gears of what an adversary is doing. That may displace the threat, it may disrupt the threat, it may change the type of attack vector that is used, but we need to begin the learning process of taking action and maneuvering,” said Cully
“I think our offensive capabilities need to be very, very targeted. I think we will continue to be more discriminate than our adversaries in our offensive cyber capabilities, because we don’t use them for cyber means or cyber outcomes necessarily,” said Federal CISO Grant Schneider. “It’s part of a broader approach of, what are we trying to accomplish as a nation to either deter people or to retaliate and respond in some way.”
Dave Fredrick, chief of Strategic Counter Cyber Operations at the National Security Agency, echoed the idea of a broader approach to cyber deterrence.
“You’ve got to look at deterrence in an integrated way,” he said. Deterrence “will require a combination of cyber and non-cyber activities. What NSA does is work to provide threat intelligence that enables DoD and the Cyber Command, enables DoJ (the Department of Justice), and enables DHS to take action.”
Don’t expect an end to the barrage of incoming attacks anytime soon though.
“I don’t think Putin is going to go, ‘Oh, the U.S. has another offensive cyber thing. I think I should just stop using my offensive cyber capabilities,’” said Schneider.