Reports indicate that new legislation in the Senate proposes to authorize US military cyber warriors to go on the offensive against Russian attacks on the United States in cyberspace. It also mandates a cyber deterrence doctrine.
These same reports indicate that lawmakers were disappointed in the administration’s latest cyber policy. The Senate Armed Services Committee’s fiscal year 2019 defense policy bill designates clandestine military operations in cyberspace as “traditional military activities.” This affirms the secretary of defense’s ability to order cyber operations. A related section of the bill “authorizes the National Command Authority to direct US Cyber Command to take appropriate and proportional action through cyberspace to disrupt, defeat and deter systematic and ongoing attacks by Russia in cyberspace,” the report states:
(a) In General.—It shall be the policy of the United States, with respect to matters pertaining to cyberspace, cybersecurity, and cyber warfare, that the United States should employ all instruments of national power, including the use of offensive cyber capabilities, to deter if possible, and respond when necessary, to any and all cyber-attacks or other malicious cyber activities that target United States interests with the intent to—
(1) cause casualties among United States persons or persons of our allies;
(2) significantly disrupt the normal functioning of United States democratic society or government (including attacks against critical infrastructure that could damage systems used to provide key services to the public or government);
(3) threaten the command and control of the United States Armed Forces, the freedom of maneuver of the United States Armed Forces, or the industrial base or other infrastructure on which the United States Armed Forces rely to defend United States interests and commitments; or
(4) achieve an effect, whether individually or in aggregate, comparable to an armed attack or imperil a vital interest of the United States.”
There are several interesting aspects to this Congressional proposed strategic policy.
1. The concept of cyber deterrence as a doctrine.
2. That deterrence of cyber-attacks may also be achieved by the use of non-cyber responses.
The congress determining national security strategy is by itself unique. The formal authorization of a cyber deterrence doctrine opens the whole realm of what is deterrence?
My UCLA graduate school professor (Bernard Brodie who was one of the founders of deterrence doctrine thought of deterrence as” a strategy intended to dissuade an adversary from taking an action not yet started, or to prevent them from doing something that another state desires. A credible nuclear deterrent, he wrote, must be always at the ready, yet never used.”
Subsequently the capacity to harm another state was to be a motivating factor for other states to avoid it and influence another state’s behavior. To be coercive or deter another state, violence must be anticipated and avoidable by accommodation.
Deterrence is considered to consist of the capability to inflict such harm and the willingness to do so. Capability is the more easily demonstrated aspect of deterrence. It is achieved through observable tests, news reports or use. Willingness is the hard part to quantify. It is usually thought to consist of demonstrated use or as during the cold war some form of automaticity to the response. With the consequences of a major nuclear exchange being so great during the cold war and automatic responses discussed openly no side was willing to test the willingness of the other.
This lack of willingness to test the other side’s willingness became the source of moderation during the cold war. Simple escalation of the DEFCON or making advanced alert status visible was used as a method of signaling willingness.
How one is to signal willingness in the cyber world is a fascinating question. It may require some cyber ‘skirmishes.” Possibly these have already occurred.
As we go forward in the evolution of strategic thought the concept of cyber deterrence will require significant additional study and the response to questions, such as:
- What is the potential damage?
- What is the nature of escalatory steps?
- What are the defensive measures? (These will most likely be constantly changing.)
This article should open a dialogue of cyber deterrence. Please make your comments and check back for the comments of others.