Senate mulls national cyber policy, strategy: Deterrence vs defense

alexander.jpg

Gen. Keith Alexander delivers remarks at his retirement ceremony at the National Security Agency, on Fort George Meade, Md March 28, 2014. Official DoD photo by Sgt. Aaron Hostutler USMC (Released)

The Senate Committee on Armed Services heard testimony on Thursday from an expert panel on developing a national cyber policy and strategy – two long-advocated issues that so far have eluded multiple Congresses and presidential administrations.

While the topics in Thursday’s hearing were wide ranging, much of the discussion focused on the fundamental need for a two-pronged approach that entails both cyber defense – the ability to fend off cyberattacks – and cyber deterrence – the ability to discourage an enemy from ever attacking.

Committee Chair Sen. John McCain, R-Ariz., a vocal proponent of developing a holistic policy and comprehensive strategy, said the issue is “the most significant challenge” in a generation and – aside from funding – “the highest priority this committee should have.”

“Treating every attack on a case-by-case basis, as we have done over the last eight years, has bred indecision and inaction,” McCain said. “The appearance of weakness has emboldened our enemies.”

He continued, “I have yet to find any serious person who believes we have a strategic advantage over our adversaries in cyberspace and, in fact, many of our civilian and military leaders have explicitly warned the opposite.”

In opening remarks, former NSA Director and the first Commander of U.S. Cyber Command Gen. Keith B. Alexander (retired) agreed with McCain that the U.S. is “woefully unprepared to handle cyberattacks in both government and commercial sectors.” Alexander pointed to recent destructive cyberattacks on Saudi Arabia by Iran and said, “We are not prepared as a nation to handle those.”

Alexander said two challenges complicate cyber: The high volume of unique information that is now created – which doubles every year – and the rapid pace of technological development – which doubles every two years.

Alexander argued that developing stronger private-public sector partnerships is key to success, and he noted, “Industry does want to work with government.”

In opening remarks, Defense Science Board Chairman Dr. Craig I. Fields and his colleague James N. Miller, former undersecretary of defense for policy, addressed the issue of cyber defense vs. deterrence, which is the topic of a recently completed DSB study.

Fields said, as of right now, “It’s simply not possible to defend against the high-level threats,” by which he meant sophisticated threat actors and advanced cyberattacks. The U.S. can defend against mid- to low-level actors and attacks. For high-level attacks, such as those from Russia and China, Fields said the U.S. must find ways to deter them, because “means of defense are not up to means of offense at this time.”

Fields then outlined eight fundamental principles of cyber deterrence, based on DSB’s research, which included:

  1. You don’t deter countries; you deter people.
  2. Deterring an individual relies on psychology, not physics.
  3. Assume people act in their perceived self-interest, which means deterrence requires making the cost more than the expected benefit.
  4. Cyber deterrence doesn’t have to be “like for like” (e.g., cyber with cyber); the U.S. can use other means (e.g., economic, diplomatic, etc.).
  5. Response doesn’t have to be “symmetrical” (e.g., can be greater, different, etc.).
  6. Any deterrent action risks the possibility of escalation, but not deterring carries certainty of escalation.
  7. It’s a more effective deterrent to respond quickly to an attack rather than to delay.
  8. Credibility is crucial; adversaries must believe the U.S. will do what it says it will do.

Miller, a self-described “policy wonk,” built on Fields’ principles by describing three “problem sets.” The first is major powers, most prominently Russia and China. For at least the next decade, Miller said, the offensive capabilities of these actors will “far exceed” the U.S.’s ability to defend U.S. critical infrastructure. Because of the U.S. military’s heavy reliance on IT, these actors are actively working to “thwart” U.S. military responses. Miller said this mix of factors has “the potential to put the U.S. in an untenable strategic position.”

Miller’s second problem set included regional powers, such as Iran and North Korea, who have not yet inflicted “catastrophic” damage on U.S. critical infrastructure but who should be expected to eventually develop or obtain the capability to do so.

The third problem set is a range of state and non-state actors, who are the least sophisticated but nonetheless still capable of “persistent cyberattacks and costly cyber intrusions.” These actors are capable of imposing “death of a thousand hacks.”

Miller outlined three broad initiatives for action, including:

  1. Plan and conduct tailored deterrence campaigns to deal with the range of actors and potential scenarios.
  2. Develop a cyber-resilient “thin line” of key U.S. strike systems to credibly impose unacceptable costs in response to even the most sophisticated large-scale cyberattacks.
  3. Continue developing foundational capabilities, such as enhancing cyber attribution, the broad cyber resilience of the joint force and the U.S. cyber workforce.

Columbia University Law School Professor Matthew C. Waxman testified on issues of international law as it applies to cyberwarfare. Waxman’s testimony focused on questions around what constitutes an act of war – and appropriate responses – and the concept of international cyber sovereignty. Waxman said ambiguity persists because “International law in this area is not settled.”

On the question of cyber acts of war, Waxman said the U.S. and many other nation-states now analogously apply existing, well-known laws of kinetic warfare to cyber – such as “force thresholds” contained in the U.N. Charter. Waxman noted this isn’t the only way to approach policy or strategy, but it can nonetheless accommodate them.

On the issue of international cyber sovereignty, Waxman said a better understanding of the meaning of cyber sovereignty is needed, particularly because its definition can have significant impact on offensive and defensive actions in cyberspace. “Sovereignty is not absolute, and the meaning is fuzzy,” Waxman said. There’s currently not enough evidence to draw conclusions on whether certain cyber activities violate sovereignty, he said.

The Russian hacking of the 2016 U.S. elections was the topic of several exchanges. At one point, McCain asked Waxman, “If an adversary is capable of changing the outcome of an election, that’s a blow at the fundamentals of that country’s ability to govern, right? An election system of democracy: If you destroy it, then you’ve basically dealt an incredible blow to that country.”

Waxman replied, “I would call that certainly a very hostile act that demands a strong response as it is certainly a threat to our democracy. Legally, though, I would not regard that as an armed attack that would justify a military response.”

To which McCain replied, “I wouldn’t call it an armed attack, but I would call it an attack that has more severe effects than possibly shutting down an electrical grid.”

Waxman replied, “That’s correct. I think there are categories of activity that can have tremendous effects on states’ core interests, and, at least traditionally, international law has recognized only certain categories as justifying armed force in response.”

McCain replied, “Well, thank you. You’ve raised one of the fundamental questions that has to be resolved by the Congress and the American people: What is an attack? What response is proportionate? Should we always play defense? Should we, if we see an attack coming, should we attack first?”

Later, Sen. Elizabeth Warren, D-Mass., advocated for cyber deterrence like the U.S.’s nuclear deterrence during the Cold War. Asked what, “substantively,” the U.S. should do to deter cyberattacks, Miller suggested proactive planning and then communicating to enemies the intent to respond to cyberattacks.

Warren pressed, “Okay, so I’m hearing you saying be sure that they know what you’re going to do. I’m just not hearing what range of options there are for us to do.”

Miller gave a long response drawn from DSB research and added, “Looking at what imposes specific costs on Vladimir Putin and his inner circle that would cause them to not just pause, but to reconsider conducting this type of activity in the future.”

A visibly exasperated Warren began to ask for more specifics, but Fields observed, “We’re not quite answering your question,” to which Warren agreed. Fields continued, “We’d like to do so in closed session.”

Fields added, “In terms of defense-deterrence, today, in 2017, the techniques that the best cyber offense people can use trump the techniques that the best cyber defense people can use. That may not be true in five years.”

Warren replied, “Doesn’t that argue even more strongly for a deterrence strategy rather than relying exclusively on a defensive strategy – and not confusing a defense strategy with a deterrence strategy?” Fields and Miller conceded, implicitly referring to their opening statements.

At this point, Waxman said, “Political interference is not an uncommon thing in international affairs.” However, he expressed caution about how international law might apply to justifying a response and added, “There should be a menu of options for how we deter these types of actions.”

Warren concluded the exchange by noting, “Nuclear deterrence works in part because we all knew it was out there. When we can’t describe, even in the most general terms, what will happen if you engage in a cyberattack against us, and, indeed, it’s clear we’ve been the victims of a cyberattack by the Russians, and we can’t describe any kind of response to that, it seems to me deterrence at that moment melts away to nothing.”

On the issue of reestablishing U.S. credibility as a principle of deterrence following Russia’s meddling in U.S. elections, Fields said, “Do not make a declaration without action.”

On the related issue of Russian information warfare, Miller said the U.S. is “in a competition of models of government with China and Russia. A fundamental goal should be to knock down fake news. Cyber is a tool to take down fake news. Policies and rules to guide that would be helpful.”

To handle non-state actors, Miller suggested differentiating between two groups: cybercriminals and cyberterrorists. The former can be stopped with a cost-benefit deterrence structure, Miller said. For the latter, deterrence must be rooted in total denial – the ability to preempt a cyberattack.

The current organization of the four entities – Defense Department, Cyber Command, NSA, FBI – tasked with responding to cyberattacks came up several times. Alexander said his conversations had revealed that, “Agencies don’t understand roles and responsibilities. They don’t know what they should be defending.”

McCain called the entities “four different islands” and wondered if the status quo “stove-piped scenario” is working.

Alexander replied, “[It] doesn’t make sense. If we were running them like a business, we’d put them together. Bring them together under one framework and practice using exercises to show how this would and could work. We haven’t done that. What we have is people acting independent. When industry looks at government, they are dismayed.”

Fields suggested government’s cyber response is even more complex when the role of, for instance, the U.S. Treasury is considered. Miller added that he’s not convinced a “massive reorg” is appropriate. Miller instead proposed an “integrating body,” building toward a national counterterrorism model.

Despite McCain’s recognition that “bold action” is needed, Alexander noted that he first testified to the committee on cyber policy and strategy seven years ago. At various times during testimony, Alexander seemed to express a mixture of urgency and slight exasperation when suggesting things could – and should – be done now, warning repeatedly that the U.S.’s current path risks falling far behind adversaries.

Sen. Angus King, I-Maine, suggested “warfare is changing right before our eyes” and drew a historical analogy to the role of technology (i.e., the longbow) in the 1415 Battle of Agincourt between the British and French, in which a British army of 7,000 “overwhelmingly defeated” a French army of more than 20,000. King said, “The mightiest army in the world, the French, failed to wake up to the importance of the new technology, the longbow.”

“Right now,” King continued, “We are the mightiest military in the world, but for the cost of one F-35, the Russians can hire 5,000 hackers. We’ve got to get this right, and if you’re right that, technically, we can’t defend ourselves, then deterrence is the only answer.”

King then asked the panel whether cyber policy and strategy need congressional action or whether the executive branch should take responsibility. Alexander replied it should probably involve both branches of government and that, within the right framework, government and private industry could work together to implement a “much better” solution.

King interjected, “Much better, but do you think it’s capable to defend entirely? I just don’t think that’s possible technologically.”

Alexander replied, “I think it can be done, although it might not be perfect at first, but in five years …”

At which point King interjected, “I don’t think we have five years. This is longest wind-up for a punch in the history of the world.”