When the White House rescinded existing guidelines on how the United States should respond to cyberattacks this summer, it signalled that the government’s interest in having the military be more actively involved in responding to threats. The Department of Defense’s newly released 2018 Cyber Strategy provides some insights in how the military will defend federal networks and aggressively deter adversaries from targeting U.S. networks in the first place.
Deterrence is a strategy to dissuade or prevent adversaries from taking specific actions. Most deterrence frameworks are based on nuclear deterrence—instead of overwhelming the adversary with extreme firepower or superior fortifications, countries convinced them to not attack in the first place. Deterrence relied on possessing nuclear weapons and threatening to use them, but did not require actual usage. Cyberattacks don’t really compare to nuclear warfare, but cyber deterrence as a strategy follows the same lines—adversaries will hold back on their worst attacks in fear of US retaliation.
“I honestly am not convinced we even had a policy of cyber deterrence,” said Andrea Limbago, chief social scientist at Endgame. A successful deterrence strategy requires a “credible threat of a response or retaliation” to influence the attacker’s risk calculus, but there is little public information about how the U.S. has responded, or punished past public and private sector compromises. The recent policy shifts may influence the attacker’s decision-making, only if the attacker believes the U.S. will retaliate, either with a digital attack or by other means.
“To date, and based on the escalating series of attacks against the U.S. private and public sector, there seems to be little credible threat of U.S. retaliation,” Limbago said.
Back in 2013, the Presidential Policy Directive 20 laid out a framework outlining how federal agencies had to coordinate with other agencies before launching any offensive digital operations. Rescinding PPD suggested the government’s goal was to “‘remove the gloves’ and enable cyberattacks in reprisal, or possibly proactively,” said Bryson Bort, CEO and founder of SCYTHE.
“Up to this point, deterrence was a concept with no teeth. Now, we’ve added teeth,” Bort said.
Defense Forward as a Strategy
In a six-page summary document of the 2018 Cyber Strategy, the Defense Department outlined the military’s role in cyberspace in the context of the Joint Force—Army, Navy, Air Force, the Marines, and the Coast Guard. The summary also described three operational concepts: intelligence collection (activities to gather valuable information about attacks and adversaries), battlefield preparation (activities to make future operations possible, such as installing backdoors in systems that can be exploited at a later time), and defend forward (activities to stop attacks before they even reach U.S. networks).
“We will conduct cyberspace operations to collect intelligence and prepare military cyber capabilities to be used in the event of crisis or conflict. We will defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict,” the DoD wrote.
Up to this point, deterrence was a concept with no teeth. Now we’ve added teeth.
Defend forward has a broader geographic scope, since action is taken on non-U.S. networks to stop an attack before it hits U.S. networks. The DoD also said “below the level of armed conflict,” which would mean that the U.S. doesn’t need to be in open conflict with the other nation-state in order to carry out its activities.
“[Defend forward] entails operations that are intended to have a disruptive or even destructive effect on an external network: either the adversary’s own system or, more likely, a midpoint system in a third country that the adversary has employed or is planning to employ for a hostile action,” University of Texas School of Law professor Bobby Chesney wrote on Lawfare.
Offense vs Collateral Damage
The fact that the operations will be on external networks means collateral damage is a risk. Attackers distribute their infrastructure all over the world to hide their activities and to make it harder to dismantle. They could be using systems hijacked from unsuspecting owners. Even assuming that the the U.S. government can be precise about attribution and target only the systems belonging to the responsible group, that could still have consequences.
“We turn the entire infrastructure (computers, servers, everything!) into expensive paperweights. At best, that’s a nuisance [for the attacker]. It costs [the attack group] some money and time (maybe a few weeks at most, probably less), and they’re back online good as new,” Bort said. “After the first couple of times, they’ll change their tactics. The ability to do this, as well as the cost to regenerate, will improve. In the end, we’ll have launched a fairly expensive response (those capabilities will be burned and may cost more than the damage) for an effect at the level of a nuisance and now opened the option for them to return fire. Which they’ll do. Against our civilian infrastructure (hello, Aramco).”
Much of the critical infrastructure in the United States belongs to the private sector and is not under direct government control. “Our soft spot is private industry, the engine of economy and society,” Bort said. “Are we going to strike back at their private industry? That seems counter to American values.”
Limbago noted that while much of the critical infrastructure in the U.S. are commercial networks, in many countries, private companies with the kind of capabilities to carry out these kinds of strategic initiatives tend to be “tightly connected to the government.” “[If] some private corporation with direct ties to their government is attributed to anything from espionage to destruction, we should be prepared to respond proportionally,” Limbago said.
Attackers have always relied on the Internet to carry out their campaigns. Defense forward means the Department of Defense will allow its security personnel to also carry out operations outside U.S. networks. The Internet is now a part of the battlefield, which means these campaigns can accidentally disrupt normal Internet operations for businesses and consumers around the world.
“Your Netflix packets could coexist with our counter-punch!” Bort said.
“The United States does not want to be responsible for the next NotPetya, an attack that started as a targeted Russian operation against Ukraine and quickly ballooned into a global campaign costing billions of dollars in damages,” Dave Weinstein, vice president of threat research at Claroty and a New America cybersecurity policy fellow, wrote on Lawfare.
“Only When Necessary” Strategy
A diplomatic crisis is another possibility if the attacker uses a system in a country friendly or allied with the U.S. to carry out attacks, and the U.S. retaliates against that system. If the country was not an ally, then it could trigger military escalation. Either result could hamper international efforts to establish norms of behavior for cyberspace. Ideally, the U.S. should be looking at a framework mapping out a spectrum of defend forward activities, corresponding collateral effects, and measures of effectiveness. Such a framework would help the U.S. establish agreements with allies regarding defend forward.
“Equally important as how America defends forward is the circumstances under which that defense takes place,” Weinstein said. “The first consideration for when to defend forward should be focused on the possible consequences of not doing so.”
The Department of Defense cannot ignore the sheer number of attacks against U.S. networks, but just as important, it can’t relax the rules of engagement to the extent that anything goes. No rules doesn’t lead to deterrence—it just frees up attackers to operate with impunity. Defend forward works as deterrence if it is one of, and not the only, option, available.
“Real deterrence would be to convince the decision-makers to change course,” Bort said. Responding with cyber attacks opens up that option to the adversaries. Rather than increasing deterrence and changing adversarial behavior, “we may accomplish little more than introducing entropy into the overall environment.”
Limbago warned against framing offensive operations as a one-size-fits-all strategy. Response should take into consideration the attack’s effects, the identity of the threat actor, and what other—non-cyber—options may be available.
“[We] should not assume our response has to be cyber tit-for-tat. There are other ways to respond to an attack that may be even more effective depending on the circumstances, such as sanctioning or freezing the assets of the specific private company,” Limbago said. “Potential responses need to be customized for each potential adversary.”
Rescinding the older PPD-20-rules that required interagency coordination before the U.S. could launch out-of-network operations against systems seems to just mean the U.S. can operate more quickly, whether as a preemptive action or as a response. The question really isn't whether or not defense forward should be part of the DoD’s mission, but rather what the process might be like for deciding to go forward with such an operation. Chesney wrote that rescinding PPD-20 seems to have pushed the decision down the decision-making tree to the hands of the commanders and not have it up at the higher levels.
“We know the reins have loosened, but it’s not clear just how loose they are either on the vertical or the horizontal dimensions within the executive branch,” Chesney wrote. “Until we know the answer to those questions, it’s hard to assess the significance of the summary’s clear embrace of 'defense forward' as an operational category.”
It’s possible that adding cyberattack capabilities to the defender’s toolkit won’t make much of a difference. “Let’s use Putin as a straw-man,” Bort said. “What can we do through cyber effects that would change his decision calculus? We’ve already frozen the finances of the senior kleptocrats and oligarchs in his administration; we didn’t need cyber for that. I doubt that nuking their PCs is going to make a difference.”