Why there's no one deterrent for cyber

Shutterstock image: cyber defense. 

A border control model doesn't work. Neither does a missile defense nor nuclear "mutually assured destruction" framework when it comes to cyber strategy and deterrence, according to current and former government officials.

Michael Daniel, former cybersecurity coordinator in the Obama administration, told FCW after a panel discussion at the RSA conference in San Francisco that given the vast range of cyberthreats -- from nation states to hacktivists -- that it is not possible to have one deterrence policy that works against every actor.

"You're going to have to have broader policy framework than that," he said.

"One of my goals when I was in the administration was, somewhere between the diplomatic engagement and the diplomatic saying 'please stop' to like, kinetic strike, there had to be more tools in there and we didn't have that full toolbox built out so you could ratchet the response up or down as needed."

He said that toolbox needs to be built so that any administration can open it up and put together a package of responses that could include sanctions, diplomatic action, law enforcement or intelligence actions to deter a specific actor.

He said that in his time in government that conversation was starting to happen, but it did not fully mature. In addition, he said the conversation has to expand to involve all the branches of government as well as the private sector.

He said the conversation needs to also get beyond a historic view that the complexity of the internet is only a source of vulnerability and to instead look at how to make the complex nodal structure a strategic advantage.

"And how can we now integrate across the private sector and the government so that no one party is responsible for all the security, but collectively we're responsible for more of it," he added.

Jeanette Manfra, Acting deputy undersecretary in the Department of Homeland Security's Office of Cybersecurity and Communications said that developing a cyber deterrence policy will require extensive public debate and analysis, and it won't be resolved quickly.

"I don't think you kind of really just dictate, OK, here's the nuclear triad for cybersecurity," she said.

"A lot of this comes down to society, government, private sector -- we all need to work through the process and the debate to understand what is it? What are the tradeoffs? What are our priorities? How do we want this to look? And it will sort of emerge."

She said that many of the previous and existing strategic frameworks – nuclear policy, counterterrorism, public health policies – all went through extensive processes of debate and revision, and cyber is no different.

"You have to understand that the reason why some of these mental models break down is either physics or the way that it's just sort of developed and the complexity of it all," she added.

She said people also need to keep in mind that cyber is often a means to carry out an crime or act for which there are longstanding policies to address.

"This is espionage, this is sabotage, this is coercion, there're just a lot of things that have happened for hundreds of years, they're just being used virtually and at a scale that is too complex, potentially, to understand," she said.

About the Author

Sean Carberry is an FCW staff writer covering defense, cybersecurity and intelligence. Prior to joining FCW, he was Kabul Correspondent for NPR, and also served as an international producer for NPR covering the war in Libya and the Arab Spring. He has reported from more than two-dozen countries including Iraq, Yemen, DRC, and South Sudan. In addition to numerous public radio programs, he has reported for Reuters, PBS NewsHour, The Diplomat, and The Atlantic.

Carberry earned a Master of Public Administration from the Harvard Kennedy School, and has a B.A. in Urban Studies from Lehigh University.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group