Lynn: Cyber deterrence rests mostly on denial, not retaliation

August 29, 2010 — 8:19pm ET | By David Perera

Tools

Tags
cyber attack
William Lynn
United Kingdom
cybersecurity
federal IT acquisition
DoD
NATO
cyber deterrence
Australia
Canada

Deterrence in the cyber world will depend far less on retaliation than on denying enemies access to U.S. networks in the first place, says Deputy Defense Secretary William Lynn.

Lynn wrote a much-noted article that appeared online August 25 in Foreign Affairs discussing efforts the Defense Department is undertaking to counter increasingly sophisticated cyber attacks. While attention has generally focused on Lynn's account of an foreign intelligence network attack made through an infected USB drive, the deputy secretary also makes several policy points in the article.

The extent to which a cyber attack should provoke a retaliatory response has been a recent matter of debate within the strategic community. But given the difficulty of assigning attribution to cyber penetrations, and given the fact that what constitutes a cyber attack, as opposed to espionage, "deterrence will necessarily be based more on denying any benefit to attackers than on imposing costs through retaliation," Lynn wrote.

In a phone call with reporters, Lynn didn't exclude retaliation, but emphasized that "the mix in the cyber world is more heavily weighted to denial of benefit than retaliation."

Deterrence founded mostly of retaliation isn't the only Cold War concept that fails to make the cyber cut in Lynn's article. Because attribution difficulties make verification of compliance almost impossible, traditional arms control regimes would also likely fail to deter cyber attacks, Lynn wrote.

"If there are to be international norms of behavior in cyberspace, they may have to follow a different model, such as that of public health or law enforcement," he added.

However, the Cold War construct of shared warning among allies does apply to cyberspace, Lynn wrote. During his press availability, Lynn said he's recently traveled officially to the United Kingdom, Canada and Australia and will travel to NATO headquarters in the next month to foster cybersecurity cooperation.

Lynn's Foreign Affairs article also tackles the problem of acquiring information technology capabilities for the Defense Department. Few disagree that the current acquisition process as generally administered results in the department lagging in acquiring cutting edge private sector technology.

But the Pentagon is developing a new, specific acquisition track for IT, Lynn wrote. It will allow acquisition cycles of 12 to 36 months rather than seven to eight years, as often occurs now, he said.

In addition, the new acquisition track will allow for incremental development and for different levels of oversight, depending on the mission criticality of the technology in question. For it to work, however, the military "must be willing to sacrifice or defer some customization in order to achieve speedy incremental improvements," Lynn wrote.

For more:
- read Lynn's Foreign Affairs article (reg. req.)
- listen to Lynn's phone call press availability (.mp3)