White House should develop cyberspace deterrence policy, says SASC


The president should develop a deterrence policy for cyberspace, says the Senate Armed Services Committee.

Current policy documents, the committee says in the legislative report (.pdf) accompanying its June 14 markup of the fiscal 2014 national defense authorization act (S. 1197), lack depth and breadth and fall short of an "integrated policy to deter adversaries in cyberspace." The committee voted 23-3 for the bill.

In calling for a cyber deterrence policy--the committee says it would want one from the White House within 270 days of the authorization act becoming law--the committee places itself squarely in the middle of an ongoing debate over the extent to which deterrence is possible, or necessary, in cyberspace.

In a recent paper, political scientist Martin Libicki argues that brandishing cyber weapons as an element of deterrence is far more complex than brandishing that took place in the Cold War. Broadcasting--whether implicitly or explicitly--military capabilities is a key part of deterrence; its intended effect is to persuade enemies, or potential enemies, not to start wars or even prepare for them by affecting their risk calculation. But Libicki says that while cyber brandishing is possible, its wisdom "is not obvious" since it can make actual wartime system penetration harder and may backfire on the brandisher by encouraging hacking victims to blame the brandisher, whether the attribution is accurate or not.

Milton Mueller, an Internet governance academic at Syracuse University, says in a recent blog post that the very idea "that cyber attacks can be 'deterred' through offensive cyber capabilities is a wrongheaded holdover from nuclear thinking." A true cyber war--a conflict fought through cyber means with the intention of compelling an enemy through force--is not a strategically viable possibility at the moment, Mueller writes. Too often, discussions about cyber attacks conflate cyber war with data theft, he adds, and the value of offensive capabilities as a deterrent to espionage "is highly questionable."

"If the information is really valuable, punishing them after they have it is unlikely to deter the espionage (assuming we can even know that it has been taken in a timely fashion)," he adds.

Mueller isn't the first to make similar observations--James Andrew Lewis of the Center for Strategic and International Studies has also written (.pdf) that espionage and crime aren't behaviors that can be deterred because "they fall below the thresholds found in international law to justify the use of force in self-defense, make deterrence largely irrelevant."

The committee report also would require the White House to establish an interagency process to control "the proliferation of cyber weapons through unilateral and cooperative export controls" and other means.

Under the SASC provision, an interagency committee would meet to develop definitions for controlled cyber technologies and determine "how to address dual-use, lawful intercept, and penetration testing technologies."

For more:
- go to the THOMAS page for S. 1197
- download the legislative report; the DoD CIO language is in Sec. 901 (.pdf)

Related Articles:
Chinese cyber exploits target government intelligence, says DoD report
Third Amendment constrains military cyber operation, argues EPIC lawyer
Cyber threat requires special bomber deterrent force, says DSB task force
Offense and defense not clearly separable in cyberspace, says Cybercom general