This post is the latest installment of our “Monday Reflections” feature, in which a different Just Security editor examines the big stories from the previous week or looks ahead to key developments on the horizon.
Last Thursday, the Department of Defense issued a new DOD Cyber Strategy in conjunction with a speech by Secretary of Defense Ash Carter.
The new Strategy updates some aspects of DOD’s 2011 Strategy for Operating in Cyberspace, which had become quite outdated. For example, the 2011 Strategy asserted that “[m]ost vulnerabilities of and malicious acts against DoD systems can be addressed through good cyber hygiene,” and it did not identify any specific foreign countries as perpetrators of cyber intrusions against the United States. By contrast, the new Strategy highlights the risk of malware proliferation and especially the “dangerous and uncontrolled market” for vulnerabilities. (It does not mention that the United States is allegedly among the major purchasers in the zero-day vulnerability market.) The new Strategy also recognizes that “[p]otential adversaries have invested significantly in cyber,” and calls out Russia, China, Iran, and North Korea, as well as potential threats from non-state actors, including ISIL. In addition, Carter’s speech revealed that Russia compromised DOD’s unclassified networks earlier this year.
Together the Strategy and speech provide additional details on DOD’s role in defending against cyber attacks and creating deterrence, emphasize the US position on the application of laws of armed conflict to cyberspace, and make clear the important role of private parties in the US government’s approach to national cybersecurity.
1. DOD’s Role and the 2% Test
Earlier this month, Assistant Secretary of Defense Eric Rosenbach testified before a Senate Armed Services Subcommittee about DOD’s limited role in protecting against cyberattacks. Rosenbach explained, “The Department of Defense is not here to defend against all cyberattacks—only that top 2 percent—the most serious.” The Strategy fleshes out this statement, explaining:
DoD must be prepared to defend the United States and its interests against cyberattacks of significant consequence. While cyberattacks are assessed on a case-by-case and fact-specific basis by the President and the U.S. national security team, significant consequences may include loss of life, significant damage to property, serious adverse U.S. foreign policy consequences, or serious economic impact on the United States.
Reading Rosenbach’s testimony and the Strategy together suggests that, in DOD’s view, 98% of cyberattacks are not “of significant consequence.” The articulation of this standard is helpful, but its emphasis on case-by-case, fact-specific assessment still leaves much unclear—even its relationship to the Sony hack. In a Q&A period after his speech, Secretary Carter had the following exchange:
Q: But of course, as you know, if we could imagine Hollywood screenwriters writing a script of a cyber attack, nobody would ever believe the attack on Sony.
So how do you think about setting a — a clear set of criteria for defining acts of significant consequence when we see unprecedented types of attacks today?
SEC. CARTER: Well, you’re asking again about what would be an act of significant consequence, and I think that that’s something that is going to — a determination that’s going to be made case by case, depending upon danger or potential danger to life and property in — in the United States.
And we’ll make that determination if and when it occurs on a case by case basis. In the Sony attack case, first the president did make that determination and did direct action which wasn’t in cyberspace.
Carter’s response suggests that the Sony hack did meet the “significant consequence” test, but that nonetheless, the US response was limited to sanctions implemented by the Treasury Department. In other words, being in the “top 2 percent” of cyberattacks is necessary, but not sufficient, for a response by DOD.
(As an aside, Carter’s statement that the President “direct[ed] action which wasn’t in cyberspace” in response to the Sony hack appears to further confirm that the United States was not responsible for the North Korean Internet outage in December, as some had speculated.)
2. Deterrence and Engagement
In a Senate hearing on March 19, Sen. John McCain blasted the Obama Administration’s “failure to develop a meaningful cyber-deterrence strategy,” and Adm. Michael Rogers, the head of US Cyber Command, conceded that deterrence is not working.
Fast-forward five weeks, and the new Strategy includes roughly two pages devoted to deterrence, focusing on DOD’s role but also articulating the roles of other departments, such as the Department of Justice’s May 2014 indictment of Chinese military officials for stealing intellectual property from US companies. The Strategy explains several elements of a theory of deterrence including declaring willingness and demonstrating ability to respond to attacks, improving defenses to prevent attacks from succeeding, strengthening the resilience of US systems to withstand successful attacks, and improving attribution.
Having a publicly articulated theory of deterrence is progress, but whether it will be effective in practice is a separate question.
Moreover, some elements of the deterrence strategy may be in substantial tension with the engagement that the Strategy also envisions. The Strategy declares that to “enhance strategic stability,” DOD and China will hold discussions about cyberspace military doctrine to “reduce the risks of misperception and miscalculation that could contribute to escalation and instability.” The Strategy further notes that DOD will seek similar dialogue with the Russian military “[i]f and when U.S.-Russia military relations resume.” But DOJ’s May 2014 indictment of Chinese military officials prompted a now nearly year-long cessation of the US-China Cyber Working Group. Future efforts at deterrence-by-indictment or naming and shaming could similarly set up a tradeoff between deterrence and engagement.
3. Role of Law
Law got a welcome upgrade in the 2015 Strategy. The 2011 Strategy mentioned law only once and in relation to legal limits on DOD’s collaboration with DHS.
The new Strategy notes repeatedly that DOD’s actions in cyberspace are limited by domestic and international law. For example, the Strategy notes, “In a manner consistent with U.S. and international law, the Department of Defense seeks to deter attacks and defend the United States against any adversary that seeks to harm U.S. national interests during times of peace, crisis, or conflict.” (p. 2, emphasis added.) It also specifically invokes the law of armed conflict: “Any decision to conduct cyber operations outside of DoD networks is made with the utmost care and deliberation and under strict policy and operational oversight, and in accordance with the law of armed conflict.” (p. 6, emphasis added.)
As others have noted (see here and here), the Strategy is vague on some issues, but the applicability of existing law shouldn’t be — and happily isn’t — one of them.
4. The Role of Private Parties
Partnership between the private sector and DOD is a major theme of the Strategy and especially of Carter’s speech, which was — not coincidentally — delivered in close proximity to Silicon Valley. But I want to focus on one particular aspect of the role of private parties in DOD’s cybersecurity strategy, namely, the role of private parties in attribution.
In a prior post, I highlighted the role that private cybersecurity firms have played in attributing attacks to state-sponsored actors. The Strategy and speech take up this issue. The Strategy notes that “[p]ublic and private attribution can play a significant role in dissuading cyber actors from conducting attacks in the first place.” Carter’s speech is even more specific:
We like to deter malicious action before it happens, and we like to be able to defend against incoming attacks – as well as pinpoint where an attack came from. We’ve gotten better at that because of strong partnerships across the government, and because of private-sector security researchers like FireEye, Crowdstrike, HP – when they out a group of malicious cyber attackers, we take notice and share that information.
Private attribution has become an element of public policy.
Overall, the Strategy is a necessary update to the dated 2011 version and better reflects the current state of play on cybersecurity issues. Its affirmation of the applicability of domestic and international law is a positive addition, particularly coming from a government agency that, in the event of a conflict, would be charged with undertaking cyberwarfare. The case-by-case 2% test for DOD’s defensive role and the theory of deterrence that the Strategy articulates are useful declaratory policies, but time will tell how they apply and whether they will work in practice.