Defense Secretary Ash Carter, right, accompanied by Joint Chiefs Chairman Gen. Martin Dempsey, left, smiles during a news conference at the Pentagon, Thursday, April 16, 2015. (AP Photo/Andrew Harnik)
The Department of Defense has just issued a new cyber strategy, which perhaps provides the best public presentation of how the United States thinks about cybersecurity. As always with these documents, what is left out is as important as what is put in. So how has U.S. strategic thinking about cybersecurity changed in the post-Snowden era?
The United States isn’t worried about a ‘cyber Pearl Harbor’ any more
When people started to worry about cybersecurity, many, including then-defense secretary Leon Panetta claimed that the United States was in danger of a ‘Pearl Harbor’ type attack that could devastate the country. There is no ‘Pearl Harbor’ alarmism in the current document. Instead, it suggests that the United States faces the threat of persistent low level attacks that could damage individuals or firms, as well as targeting some industrial systems. The document also singles out efforts to “steal U.S. intellectual property to undercut our technological and military advantage” and specifically identifies China as a major culprit.
Thursday’s revelation that the United States apparently targeted EADS, a major European military contractor, for NSA spying, was especially poorly timed from the United States’s perspective, although the United States can still maintain that it does not spy so as to pass on stolen intellectual property to U.S. firms (and may conceivably have been targeting EADS for purposes that had nothing to do with snooping through its weapons systems).
The United States is now acknowledging that it has developed offensive as well as defensive capabilities
In the past, the United States has been very cagey about its ability to conduct offensive actions in cyberspace. Over the last few years though, U.S. officials and former officials have gradually started to open up a little bit and discuss how the United States is able to mount cyber attacks on other countries. The new document goes much further in specifically acknowledging that the United States is capable of attacking other countries’ information systems, and willing to do so under some circumstances. It says that there “may be times when the President or the Secretary of Defense may determine that it would be appropriate for the U.S. military to conduct cyber operations to disrupt an adversary’s military related networks or infrastructure so that the U.S. military can protect U.S. interests in an area of operations.”
Unsurprisingly, the strategy document does not refer to other aspects of United States’s offensive capabilities. For example, it doesn’t discuss how the US spies in cyberspace, which occupies a gray area in international law. Nor does it discuss the U.S. role in covert operations such as Stuxnet, where the United States and Israel reportedly succeeded in damaging the Iranian nuclear program through a clever attack on the computerized equipment that was refining uranium. Both are crucial aspects of United States’s offensive capability; neither are likely to be officially acknowledged in any specific way.
The United States wants to build norms for cyberspace
As I discussed in this recent CFR brief, the United States wants to build norms for cyberspace. When the United States discusses attacks against other actors, it notes that any such attacks will be made in accordance with the laws of armed conflict, and that the “Defense Department will always be attentive to the potential impact of defense policies on state and non-state actors’ behavior.” This language signals that the United States wants to subject cyber attacks to the traditional norms governing armed conflict, which, for example, stigmatize attacks aimed at hurting civilians. The United States also recognizes in principle that its attacks might be seen as giving other actors permission to carry out attacks too.
The United States is very clearly suggesting that it will try to be restrained. How exactly the United States will implement these restraints is unclear – the United States is unlikely to announce its exact rules of engagement to the world for fear that other actors might then be able to game these rules.
Furthermore, the United States seems to be moving towards publicly identifying actors that it believes to be norm breakers, and sometimes providing public evidence that supports its allegations. It is doing this by building collaboration between the military, intelligence and criminal justice systems – the public indictment of Chinese hackers appears to have been in part an effort to enforce the United States’s preferred norms.
The United States now believes that deterrence is possible in cyberspace
During the Cold War, a lot of U.S. strategic doctrine rested on the idea of deterrence – that one could prevent attacks on the United States and its allies, by e.g. threatening painful retaliation. Deterrence is a lot harder in cyberspace. It is often hard to be sure exactly who attacked you (the so-called ‘attribution problem’) making punishment problematic. As the then-Deputy Secretary of Defense William Lynn described the problem in a 2010 article in Foreign Affairs:
traditional Cold War deterrence models of assured retaliation do not apply to cyberspace, where it is difficult and time consuming to identify an attack’s perpetrator. Whereas a missile comes with a return address, a computer virus generally does not.
The United States has gradually been shifting position and now argues that deterrence is both possible and necessary. The new strategy document says that the United States:
must be able to declare or display effective response capabilities to deter an adversary from initiating an attack; develop effective defensive capabilities to deny a potential attack from succeeding; and strengthen the overall resilience of U.S. systems to withstand a potential attack if it penetrates the United States’ defenses.
The United States clearly believes that it now has the forensic ability to successfully identify attackers and to punish them. It also believes that it is possible to practice ‘deterrence by denial’ – making defense systems so effective that attackers will give up in frustration. Finally, the document talks about the need for ‘resilience’ – that is for building systems that are robust enough to survive cyber-attacks. This is a frequent theme in recent discussions of cybersecurity, and appears to now be a substantial plank of U.S. strategy. However, much of the U.S. technology infrastructure is in private hands – it is not at all clear that these capabilities will stretch to cover private as well as military systems.
The United States is starting to stigmatize markets for ‘zero day exploits’
One of the most interesting suggestions in the strategy document is that:
A nation-state, non-state group, or individual actor can purchase destructive malware and other capabilities on the black market. State and non-state actors also pay experts to search for vulnerabilities and develop exploits. This practice has created a dangerous and uncontrolled market that serves multiple actors within the international system, often for competing purposes.
Here, the United States is referring both to malware and so-called ‘zero day exploits’ — fundamental vulnerabilities in software that allow attackers e.g. to take complete control of a system (the Stuxnet attack used multiple zero day exploits). Clever hackers and specialized firms sell these exploits to the highest bidders in a semi-clandestine market. The United States has reportedly itself bought vulnerabilities on this market in the past, either to use to shore up U.S. defenses, or to exploit against U.S. adversaries. Even so, it makes excellent sense for the United States to try to crack down on these markets. Not only are they hard to control, but they potentially undermine U.S. strategic advantage. Since the United States has far better internal resources than other states, it is better able to develop zero day exploits itself without having to buy them on the open market. Most other states and non-state actors aren’t so lucky. It will be interesting to see if the United States now starts to take action against businesses and individuals who operate in the gray zone buying and selling these exploits.