Policymakers need to stop looking for a silver bullet deterrence model for cyber and recognize the complexity of the threats, say current and former officials.
A border control model doesn't work. Neither does a missile defense nor nuclear "mutually assured destruction" framework when it comes to cyber strategy and deterrence, according to current and former government officials.
Michael Daniel, former cybersecurity coordinator in the Obama administration, told FCW after a panel discussion at the RSA conference in San Francisco that given the vast range of cyberthreats -- from nation states to hacktivists -- that it is not possible to have one deterrence policy that works against every actor.
"You're going to have to have broader policy framework than that," he said.
"One of my goals when I was in the administration was, somewhere between the diplomatic engagement and the diplomatic saying 'please stop' to like, kinetic strike, there had to be more tools in there and we didn't have that full toolbox built out so you could ratchet the response up or down as needed."
He said that toolbox needs to be built so that any administration can open it up and put together a package of responses that could include sanctions, diplomatic action, law enforcement or intelligence actions to deter a specific actor.
He said that in his time in government that conversation was starting to happen, but it did not fully mature. In addition, he said the conversation has to expand to involve all the branches of government as well as the private sector.
He said the conversation needs to also get beyond a historic view that the complexity of the internet is only a source of vulnerability and to instead look at how to make the complex nodal structure a strategic advantage.
"And how can we now integrate across the private sector and the government so that no one party is responsible for all the security, but collectively we're responsible for more of it," he added.
Jeanette Manfra, Acting deputy undersecretary in the Department of Homeland Security's Office of Cybersecurity and Communications said that developing a cyber deterrence policy will require extensive public debate and analysis, and it won't be resolved quickly.
"I don't think you kind of really just dictate, OK, here's the nuclear triad for cybersecurity," she said.
"A lot of this comes down to society, government, private sector -- we all need to work through the process and the debate to understand what is it? What are the tradeoffs? What are our priorities? How do we want this to look? And it will sort of emerge."
She said that many of the previous and existing strategic frameworks – nuclear policy, counterterrorism, public health policies – all went through extensive processes of debate and revision, and cyber is no different.
"You have to understand that the reason why some of these mental models break down is either physics or the way that it's just sort of developed and the complexity of it all," she added.
She said people also need to keep in mind that cyber is often a means to carry out an crime or act for which there are longstanding policies to address.
"This is espionage, this is sabotage, this is coercion, there're just a lot of things that have happened for hundreds of years, they're just being used virtually and at a scale that is too complex, potentially, to understand," she said.