'Cyber Cold War' rhetoric raises alarms

Calls from Capitol Hill for "mutually assured destruction" over alleged Russian hacking are raising questions about whether cyber deterrence is even possible.

futuristic cyberwar

When Congress blew back into town this month, so did a lot of bluster over alleged Russian-backed hacking of the Democratic National Committee and U.S. elections infrastructure.

In particular, House Homeland Security Committee Chairman Michael McCaul (R-Texas) raised the specter of a cyber Cold War with Russia and mutually assured cyber destruction.

But that rhetoric isn't sitting well with cyber experts.

"It's nuts, and it's woefully uninformed about the cybersecurity world," said Andrew Plato, cybersecurity expert and president of intelligence firm Anitian. "It's Cold War thinking trying to be applied to Information Age structures, and it isn't going to work.

Plato said Cold War doctrine made sense because of the physicality of the threats and capabilities at the time. But the volatility of the cyber world and the ability of hackers to pop up and disappear quickly mean that you can't point weapons at a physical location and expect to intimidate hackers.

"The etherealness of the world we live in doesn't allow you to have some sort of massive response because you're responding to nothing," he said.

Plato argued that the U.S. could spend months or years developing cyber weapons, but it can be impossible to predict how useful or intimidating they might be.

"That moment finally arrives and they pull those weapons out to use them and half of them just don't work," he said. "Or the weapon they have works but it doesn't do what you want it to because the entire environment has changed from when you developed that."

A 'cyber Hiroshima'

Melissa Hathaway, senior adviser for the Cyber Security Project at Harvard University's Kennedy School of Government, said the Cold War rhetoric is born out of frustration with the growing number of attacks and a sense of embarrassment over the fragility of America's cyber infrastructure.

She said the conversation needs to move from Cold War doctrine to "what are we going to do to protect our data, to protect our critical infrastructure, to protect our country?"

That conversation requires taking responsibility, understanding what is happening, and rebuilding the partnership between the executive and legislative branches, she added.

"I think the core to any policy or strategy has to begin with and end with resilience," Hathaway said. "The more fragile we are to an individual or a nation-state causing harm to something that we consider critical to our national or economic security, then we're in trouble, so we have to invest in resilience."

Even though the state of cyberwarfare has advanced to the point where physical damage is a potential outcome, "we're not at that Cold War level of completely wiping out you or me," said Joshua Toman, an adjunct professor at Charlotte School of Law and a cyber strategy expert. "I think that we are seeing that we could be at a significant place where one state could have an enormous impact on another nation-state."

He added that a "cyber Hiroshima" is a more realistic scenario that should be framing the debate. Hathaway said having an offensive cyber weapon could provide some measure of deterrence but only if there is a credible threat of its deployment. And she warned that hacking back or an offensive attack could lead to unintended consequences.

"I don't think that we've really thought through the different paths of escalation and de-escalation and the different sets of moves that could lead to a lot of miscalculations," she said.

Toman agreed. "The short answer for deterrence is, 'Well, they did this, we know who it is, we're going to go back after them,'" he said. "At what point then does that lead to the constant escalation?"

The White House issued a cyber deterrence policy last year, but Hathaway said the policy is not so much a strategy as a loosely aggregated list of capabilities or possible responses.

Still, she argued that having a rigid deterrent doctrine could make it harder to respond.

"Some argue that an effective deterrence is entanglement -- that if you both have just as much to lose then you will not engage in the actual activity," Hathaway said.

She added that if the U.S. is more resilient than its adversaries, that ability to survive and respond will deter attacks -- essentially the equivalent of a second-strike capability under Cold War doctrine.

Hathaway said the U.S. has the most infected cyber infrastructure in the world, and the growing number of cyberattacks on U.S. assets is a sign of the country's failure to shut down malicious botnets, command and control nets, and ransomware. She said a focus on cleaning up America's infrastructure along the lines of the effort to fix the Year 2000 computer bug would go a long way toward deterring cybercrime.

Why advertise deterrence?

Plato said that even if you have a strong deterrent capability, you don't necessarily want to advertise it.

"The cybersecurity world is where your best deterrent is really a very strong defense -- and a defense that isn't always obvious," he said. "You tend to get measured by how quickly and adeptly you respond to an incident or a situation.… The deterrence becomes this agility, this ability to react to things and muster resources quickly and deploy them quickly."

He said that rather than focus on building some sort of "giant Death Star cybersecurity weapon, let's build a team of brilliant people. Let's motivate them and let's put those people out there because that's going to be the defense."

Another topic of debate among policymakers is whether the U.S. needs new laws of war or other legal tools to combat and deter cybercrime. Experts told FCW that existing legal frameworks are sufficient.

Toman said the U.S. should instead consider non-lethal deterrent measures such as seizing assets or "tasing" the computers of hackers -- options that could be permissible under current law.

Experts also agreed that it's essential for the U.S. to work with foreign governments to establish international legal structures so that hackers and cybercriminals can't hide in places the U.S. can't reach.

"The focus needs to be on cooperation so that instead of it being the United States goes in and does rendition and pulls out a hacker, we're working to get those countries to engage in it themselves," Toman said.

Ultimately, policymakers need to provide more guidance to government and industry, he added. Better guidance and policy conversations would foster stronger cooperation between the two sectors and lead to greater deterrence.

"Each situation is going to have to be judged on its own, but do we have clear-cut reasons or guidance as to 'in this situation, we will do it'?" Toman said. "That to me is the better question. There should be certain situations where we say, 'When this happens, we're doing this. We're going to give ourselves that authority.'"

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.