Anyone looking over President Obama’s new Cybersecurity National Action Plan, which was announced on Tuesday, and reading his op-ed in the Wall Street Journal highlighting its key elements, will immediately see that two things are grievously wrong with the White House’s latest foray into trying to protect us from cyber attack.
The first is that there is absolutely no mention of Russia or China, let alone ISIS and other terrorist groups that are increasingly looking to the cyber sphere as a way to bring America to its knees. If you aren’t willing to admit who poses the principal threat, you aren’t really dealing with the problem.
The second is that the Action Plan is entirely focused on defensive cyber-security measures — judging from news reports, measures that will cost up to $19 billion, including $3.1 billion to replace outdated government computer systems. Throw in Obama’s proposed “cyber czar” — or federal information security officer, to be housed at the Department of Homeland Security — and you have a formula for investing still more money in a cyber-security strategy that the government, as well as private industry, has pursued for more than a decade and a half, with less than satisfactory results.
Certainly the costs have been enormous. Trying to stop cyber attacks by safeguarding information systems has become a multi-billion-dollar industry — in the U.S. private sector alone, the cyber-security market will grow to $170 billion by 2020. Over the past decade, the federal government has spent $100 billion on cyber security, and yet — as we learned last year with the cyber break-in at the Office of Personnel Management, when 22 million Americans had their personal information stolen — the government remains as vulnerable to attack as ever.
In fact, the real problem isn’t money but mindset. In cyber-war terms, we’ve been pouring money and resources into a World War One–style trench-warfare defensive strategy, while cyber attackers large and small have been practicing a World War Two–style Blitzkrieg offense — and making full use of two other advantages the cyber attacker enjoys, namely anonymity and deniability.
In the cyber sphere, all experts agree, the attacker will always be one step ahead of the defender. While the cyber-security engineer has to be able to plug every leak or vulnerability, the hacker needs only one successful exploit to steal the data he wants or shut down the system he wants to disable.
Therefore, it’s time for Washington to move to a new, more proactive approach to threats in the cyber realm. It is time to focus on how to deter cyber aggressors before they strike, and to take the necessary steps to persuade them not to attack at all.
In short, we need to shift from thinking about cyber security to cyber deterrence. Admiral Mike Rogers, the commander of U.S. Cyber Command and director of the National Security Agency, has already called for a national cyber-deterrence strategy, and has warned that the current purely defensive approach “will be both late to need and incredibly resource-intense” — in plain English, it will lock the barn door after the horse is stolen and will eventually push us into bankruptcy.
So what would an effective cyber-deterrence strategy look like?
First and foremost, it would warn all bad actors in the cyber realm, whether individuals, terrorist organizations, or nation-states, that their actions will be met with a scale of escalating responses, depending on the gravity of the threat — including responses outside the cyber realm, up to and including military action.
Students of deterrence, including nuclear deterrence during the Cold War, agree that a deterrence strategy needs to be credible, meaning that we have to make it clear to cyber aggressors that we are both ready and able to take countermeasures to defend ourselves; clear, meaning that any would-be transgressor has a pretty good idea what kind of retribution he can expect; and consistent, meaning that actions follow words — i.e., that the promise to retaliate against an attack on our banking system or on our power grid will be carried out without fail.
Finally, an effective cyber-deterrence strategy has to inspire fear. Herman Kahn, key theorist of Cold War nuclear deterrence, wrote that of all the “desirable characteristics of a deterrent,” the most important was that it be “frightening.” That’s what our nuclear deterrence was in the Cold War in the Sixties and Seventies, and it’s precisely what Obama’s National Action Plan isn’t. Instead, it’s an open invitation to cyber criminals — as well as to Russia, China, North Korea, and ISIS — to keep on hacking because they know that eventually they’ll get through.
A cyber-deterrence strategy, by contrast, will warn potential cyber enemies before they attack that they are going to suffer more pain than gain, and it will tell countries like Russia and China that if we determine that any cyber attack has originated from inside their borders, we will hold them responsible.
As a nation, we face real threats in the cyber realm. It’s time to develop a real strategy to deal with them, instead of just throwing more money at the problem — or appointing another well-paid bureaucrat to be our “cyber czar.”