Cyber deterrence is about more than punching back

In 2017, Sen. Dan Sullivan (R-Alaska) quipped that America was the world's "cyber punching bag" following reports of Russian meddling in the 2016 election.

As U.S. government agencies and private sector companies have absorbed a dizzying array of cyberattacks in recent years, politicians and IT security experts have called for a coherent deterrence strategy that imposes costs on nation states and draws clear lines around unacceptable malicious cyber activity.

Peter W. Singer, a political scientist who advised the 2008 Barack Obama campaign on defense policy, is calling for a total rethink of U.S. cybersecurity policy and believes that many previously established global norms around cyber behavior have degraded over the past few years.

Singer, speaking at a May 10 event hosted by cybersecurity firm Gigamon, lamented what he called "the complete and utter collapse of cyber deterrence," arguing that incidents like the Russian cyber meddling in 2016 election, the NotPetya ransomware attacks and other state-sponsored actions have whittled down international norms to an "anything goes" environment.

"Unfortunately, when you look at the combination of what has been played out…we have been left with the opposite of deterrence incentives," said Singer. "The failure to clearly respond to this overall campaign has taught not just Russia but any would be attacker out there that these operations are relatively no pain on the cost side and all gain on the benefit side."

The Trump administration has made a series of moves over the past year in an attempt to change this calculus, attributing the NotPetya attacks to Russia and imposing economic sanctions and indictments on Russian and Iranian-affiliated hacking groups. Members of Congress have introduced legislation outlining a formal response for responding to nation-state cyberattacks while the White House, after initially chafing at congressional pressure, recently delivered its first cyber doctrine to Congress last month. That document remains classified.

Singer wants to improving the resiliency of federal and private sector networks such that attackers no longer see clear benefits as a means of disincentivizing attackers.

The merging of governments and criminal hacking groups, or what Singer calls the "hybridization" of cyberspace, creates a whole new landscape of challenges for policymakers around deterrence. Hybrid groups get the best of both worlds because "they're able to use state assets, including on the intelligence side, but they get that sort of sense of deniability, that modicum of stealth that comes with it," he said.

In a May 3 speech hosted by the Atlantic Council, Joseph Nye, a Harvard political science professor who has studied and written about the use of cyber power by nation states, accused policymakers of viewing the issue of cyber deterrence through the prism of the Cold War and the "all or nothing" stakes that surrounded the use of nuclear weapons.

By contrast, not all cyberattacks are of equal importance, nor can you hope to deter all or even most of them, and there are multiple ways to achieve deterrence, from retaliation and denial to entanglement and creating taboos. Ultimately, Nye argued it's best to reserve retaliatory deterrence strategies only for attacks that rise to the level of a true national security threat.

"Actually, when we think about deterrence in cyberspace, it's much more like deterrence in crime," said Nye. "It's not perfect, you're not going to get them all, but that's obviously why we have police forces. We don't expect them to catch everybody, but without some deterrence there would be a lot more crime."