With warnings that the next Pearl Harbor could be delivered through a computer terminal, what can the government do to deter against a cyber attack?
The issue is starting to take on more urgency as the public becomes more aware of the possibility that an adversary, armed with nothing but lines of computer code, could pose a serious threat to computer systems critical to the functioning of U.S. power plants, electrical systems and other infrastructure.
Bill Lynn, who retired earlier this month as deputy secretary of defense, noted in a recent Foreign Affairs article that the United States is “in the midst of a strategic shift in the cyberthreat.” Until now, he wrote, intrusions have largely been aimed at stealing information from companies or spying on the government. Now, he said, the threat is that a cyber attack could destroy critical networks.
“In the twenty-first century,” he said, “bits and bytes are as threatening as bombs and bullets.”
The Pentagon in July released a cyber strategy whose “overriding emphasis” is on denying an adversary the benefit of an attack.
“Rather than rely on the threat of retaliation alone to deter attacks,” Lynn said then, the strategy is to strengthen defenses, thereby forcing adversaries to spend more to mount an attack and maybe alter their decision-making calculus.
The strategy builds on a White House declaratory policy issued in May that warns: “We reserve the right to use all necessary means — diplomatic, informational, military and economic — as appropriate and consistent with applicable international law, in order to defend our nation, our allies, our partners, and our interests.”
Still, some experts are pushing for more clarity. Gen. James E. Cartwright Jr., who stepped down in August as vice chairman of the Joint Chiefs of Staff, said in a recent interview that the policy needs to be more explicit. “What I’m looking for,” he said, “is a national strategy, like we had for nuclear weapons, which said, ‘OK, world, here’s how we’re going to hold you accountable, here’s what we’re going to do to you if you don’t behave right.’ ”
The adversary needs to know the United States has a variety of options, conventional, strategic and cyber, Cartwright said. “We don’t have to launch any of them. We could launch all of them….Until we see the attack, we don’t know which of these we’re going to use. But this is our menu. It’s pretty robust. And believe us, it’s going to hurt.”
Similarly, Dmitri Alperovitch, a security researcher, argued at a recent Brookings Institution symposium: “We need to start talking openly about our offensive capabilities in cyber and their readiness levels, just as we discuss our ballistic missile arsenals, Air Force or submarine fleets.”
“Ambiguity,” said Alperovitch, former vice president of threat research at McAfee, “is counterproductive.”
But Martin Libicki, a researcher with Rand Corp., said the issue may be less about whether the United States should have a policy of deterrence and more about whether “we would gain or lose” by explicitly declaring one.
“No state honestly believes it can devastate the U.S. with a cyberattack and the U.S. would not respond,” he said.
After all, he added, “we did not declare we would overthrow regimes that harbored terrorists before 9/11, but no one was surprised that we did so afterward.”