More Refined Deterrence Strategy Needed To Achieve Better Cybersecurity, Some Cyber Experts Say
Information sharing among nations, collective defense and other approaches to deterrence are steps that the U.S. and other countries can take to strengthen defenses in cyberspace, U.S. and foreign government officials and information technology security experts said Monday at the Center for Strategic & International Studies. The U.S., EU, Australia and other countries have moved forward on improving cybersecurity, said William Lynn, former U.S. deputy secretary of defense. “But I think much remains to be done,” he said. “In my view, we're not moving fast enough to address the weaknesses given the pace of the threat.” No country can safeguard the Internet alone, said Mart Laar, Estonian minister of defense: “Attackers in cyberspace cross borders and so should we."
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The future of the cyberthreat will include continued exploitation and degradation efforts, like the cyberattacks in Estonia and Georgia, Lynn said. The most dangerous threat is actual destruction, he said. It’s just emerging, but “when you look at what tools are out there, it is clear that the capability for these destructive tools exists.” The private sector must deal with cybersecurity and share information with the government and one another, Laar said. “It is clear that these attacks only become stronger and losses for the private companies will become bigger."
Cyber intrusions impact national security and economics, said James Miller, principal deputy undersecretary of defense for policy. Cyber espionage is an everyday reality, he said. The U.S. needs to build collective defense due to the vastness of cyberspace, Miller added. To implement this approach, the Department of Defense is working with defense companies, other private sector organizations and other departments, he said. One of the biggest problems in the debate is the language used to compare cyber attacks to Pearl Harbor or 9/11, said Dmitri Alperovitch, president of Asymmetric Cyber Operations. To launch an attack “that causes massive destructive damage [and] loss of life is incredibly hard today.”
Deterrence shouldn’t focus solely on retaliation, some government security experts said. It “must be based in denying the benefit of an attack,” instead of the threat of retaliation alone, said Lynn. The government “must aim to change our adversaries’ incentives in a far more fundamental way,” he said: “If an attack will not have its intended consequences, those who wish us harm will have less reason to target us through cyber in the first place.” By deploying this strategy, “denying benefits to attackers and good defenses are likely to allow us to trace the attack back to its source,” Miller said. “Raising the costs for adversaries … and demonstrating consequences for unacceptable behavior is the only way we will achieve security in this domain,” said Alperovitch, who led breach investigations for McAfee.
Deterrence “with a small ‘d'” is possible, but classical deterrence is not, said Michelle Markoff, senior policy advisor in the State Department’s Office of the Coordinator for Cyber Issues. “You cannot, in real-time and with high confidence, attribute … identity to an attacker.” There needs to be a series of mutually reinforcing and overlapping strategies, she said. For a more refined approach, the U.S. should deter only those adversaries who can create a “national-level problem,” she said. Cyberspace is an offense-dominant area, said Steven Schleien, Defense Department principal cyber policy director. The department is working on strengthening the defensive side and improving its ability to attribute attacks. Its partnerships with NATO, law enforcement and other entities intend “to increase our situational awareness … that will help with attribution in terms of cyber events worldwide,” he added.
The cloud provides some opportunities to enhance cybersecurity in a way that is cost-effective, said Lynn and Miller. There’s better security in the cloud with more sophisticated defenses around more data and users, Lynn said. However, the other side of that is it creates “more lucrative targets,” he said: “If you are able to penetrate the cloud, you can do more damage, more destruction than just individual computers.” The challenge is finding a way to segment the data and make the cloud much harder to attack, he added. Miller said he expects continued investment in resources for cyber capabilities amid the nation’s budget cutting efforts: DOD is looking “to protect and invest the capabilities that we think are critical.” As the government transitions to cloud-based approaches, “we should be able to drive costs down for the IT that supports military operations,” he added.
Some experts clashed on the effects of pending legislation intended to protect networks. “The same mechanisms that are used to suppress malware can also be used to suppress a lot of other things,” said Martin Libicki, senior management scientist at RAND Corporation. The DOD’s Strategy for Operating in Cyberspace has a “light touch” approach and it will be of low cost to government, Miller said. Compared to other cybersecurity proposals in the House and Senate, “there are a lot of common elements,” he added.