Last week, the Pentagon released its first Strategy for Operating in Cyberspace, which provided guidance for how the military should “organize, train, and equip for cyberspace as we do in air, land, maritime, and space to support national security interests.” Deputy Defense Secretary William Lynn, who revealed the Pentagon’s National Security Space Strategy by characterizing space with the alliteration of “congested, contested, and competitive,” bested himself in describing that in the cyber domain “bits and bytes can be as threatening as bullets and bombs.”
The most anticipated component of the Pentagon’s new strategy was to clarify the circumstances under which the United States might respond to cyber attacks with offensive cyber operations or traditional military force. As one unnamed U.S. military official described potential military responses: “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”
Military officials recognize the increasing importance of deterrence as part of a strategy to defend military and civilian networks from malicious attacks. General James Cartwright, the Vice Chairman of the Joint Chiefs of Staff, told reporters that he hoped the Pentagon’s cyber efforts would move “from being 90% focused on defense to 90% focused on deterrence within a decade.”
The Pentagon’s strategy, however, lacked a declaratory policy for either offensive cyber or military deterrent options, other than the general statement that the United States would “reserve the right to defend these vital [cyber] national assets as necessary and appropriate.” When asked to “articulate what scenario would justify the use of traditional military force,” Lynn replied: “If the effect of some sort of action reached the threshold that the nation and the president and the Congress considered it an act of war, we would have military response as an option, although again, we always look at use of military force as a last resort.”
As I noted in an earlier post, there are many complex and unresolved technical, legal, jurisdictional, and policy issues that must be worked through before the United States should consider using offensive cyber operations or military force to defend the cyber domain. Unfortunately, the Pentagon’s strategy did not provide sufficient clarity regarding these issues.
Today, the Government Accountability Office (GAO) released a report that revealed some of the Pentagon’s shortcomings regarding cyber space:
“No single joint publication completely addresses cyberspace operations.”
“Definitions—such as what constitutes a cyber force—are not uniformly defined across DOD, and there are cases in which the same cyber-related term may mean something different among the services.”
“Lines of command and control of cyber forces are divided among U.S. Strategic Command, the geographic combatant commands, and the military services, through several policy and guidance documents…[The documents are] all relevant to command and control of cyberspace operations, but they sometimes conflict with each other and remain unclear because of overlapping responsibilities.”
An earlier GAO report had warned that the Pentagon lacks the “detailed and formalized guidance needed to clarify roles, responsibilities, command structures, and mission requirements.” Davi D’Agostino, the GAO’s director of defense capabilities, stated last week regarding Pentagon cyberspace efforts: “We are still seeing problems with ground rules and command and control. Is it clear who does what to whom?”
At a confirmation hearing last week for the Assistant Secretary of Defense for Global Strategic Affairs, the following exchange between Senator John McCain and prospective nominee Madelyn Creedon captures the confusion regarding what is U.S. policy in the face of cyber threats:
SEN. MCCAIN: Ms. Creedon, General Cartwright mentioned -- he said that DOD is spending 90 percent of its time playing defense against cyberattacks and 10 percent playing offense, and that in his view the department should invert this ratio to demonstrate there will be consequences to a cyberattack against the United States. To start with, do you agree with General Cartwright?
MS. CREEDON: I do, sir, and he said over time that that’s where the department has to be.
SEN. MCCAIN: And so what -- give me an example of what the consequences would be, for example, of a cyberattack that shut down our defense logistics system in some way.
MS. CREEDON: Well, one of the things that -- I mean, one of the things that he put in this context was that the constant building of -- the building of higher defenses -- it becomes more and more expensive. And so as a little -- it -- and the attacks are inexpensive and the defenses are more expensive. So one of his constructs -- and although he conceded that it was in a very hypothetical construct -- is that someday we have to figure out that the -- right now the attack just causes us to spend more money on defenses, and what he’s trying to say is that at some point we have to make it clear that that attack -- in fact there’s more to that attacker to pay than there is to us to pay for the higher defenses.
SEN. MCCAIN: I fully understand that. Now what is the consequence?
MS. CREEDON: -- and how to get there is hard. And part of this is, like any other thing, you have to look at, well, what is -- what is the attack, what was the result of the attack, and then --
SEN. MCCAIN: What would be the consequence?
MS. CREEDON: -- and act appropriately on something like that. And so it doesn’t have --
SEN. MCCAIN: What would be an appropriate action?
MS. CREEDON: Well, and it doesn’t -- it wouldn’t necessarily have to be a cyberattack, and you also have -- part of the problem is figuring out who did it.
SEN. MCCAIN: Will you give me an answer as to what one of the consequences would be?
MS. CREEDON: Well, for instance, on something like that, if we knew who did it, it could be -- maybe it could be something that would deal with their ability to attack us further, so it would -- it could be a response in cyber -- maybe it’s taking out some of their computer systems. Maybe -- depends on where they are, depends on who’s behind it. It could be a land-based attack. But again, it would have to be modulated based on the time, the duration and the impact.
The United States should have a declaratory policy for the cyber domain that is specific, vivid, and clear enough that both potential adversaries and those in the U.S. government directed to implement it can understand it. There is such a policy for nuclear weapons as articulated in the 2010 Nuclear Posture Review: “The United States will not use or threaten to use nuclear weapons against non-nuclear weapons states that are party to the Nuclear Non-Proliferation Treaty and in compliance with their nuclear non-proliferation obligations.” Given that policymakers repeatedly claim that cyber threats are increasing in scope and intensity, there should be no confusion of what is U.S. policy when vital interest are at risk from cyber attacks.