Is the Pentagon crazy enough to bring nukes to a cyberfight?
The latest Bond flick, Skyfall, could well be the most realistic of the entire series. Its villain, disgruntled ex-MI-6 operative and creepy cyber-hacker Raoul Silva, launches massive cyberattacks from his high-tech lair on a deserted island somewhere off of Macau. He threatens to commandeer the infrastructure of entire nations at the speed of light with the mere push of a button, leaving nary a trace. Who needs cyclopytic henchmen or sharks-with-frickin’-laser-beams-attached-to-their-heads when you can invisibly disrupt power grids around the globe by merely hitting the "Enter" key?
As it turns out, our most senior defense officials and intelligence chiefs, as well as top CEOs, are now grappling with this very issue: What to do about the Raoul Silvas of the world before they wreak cyber-havoc on the nation? The problem is that some in the Pentagon are threatening "deterrence" via kinetic reprisals — including nuclear counterattacks in the most extreme cases — that could actually encourage the very cyberattacks the government hopes to prevent.
In the latest report from the Office of the Director of National Intelligence (DNI), cyberthreats climbed from being the number-three threat last year to the number-one position — beating even terrorism to claim the top spot. In introducing the Worldwide Threat Assessment to the Senate, DNI James Clapper said that "when it comes to the distinct threat areas, our statement this year leads with cyber…. [I]t’s hard to overemphasize its significance." And yet cyberattacks have yet to cause damage in the way a military strike could. A sobering article by Thomas Rid in Foreign Policy points out that not a single fatality has yet been attributed to any cyberattack.
On the other hand, about $100 billion is believed to be lost annually to cyber-crime, cyber-extortion, cyber-espionage of corporate secrets, and in cleaning-up and addressing those threats. So it certainly makes sense to get out ahead of cyber-insecurities instead of waiting and reacting to a more metastasized crisis in a few years. The question is, when do cyber-intrusions cross the line from being an expensive criminal nuisance to a national-level concern requiring military intervention or military threats? And, relatedly, how should the United States divide the nation’s cybersecurity mission between the civilians (at the FBI and the Department of Homeland Security) and the military?
This is where the recent 146-page report from the Pentagon’s Defense Science Board, "Resilient Military Systems and the Advanced Cyber Threat," comes in. A 33-member panel of government and civilian experts was charged with reviewing the robustness of Pentagon defenses against cyberattacks and making recommendations to improve them. Although the report contains many sensible recommendations, it also makes an outrageous and counter-productive one: It suggests threatening the use of nuclear weapons in response to the most severe cyberattacks. "Deterrence is achieved with offensive cyber, some protected-conventional capabilities, and anchored with U.S. nuclear weapons," the report states, adding, "Cyber risk can be managed through the combination of deterrence (up to a nuclear response in the most extreme case) and improved cyber defense."
Nuclear deterrence isn’t the best analogy for addressing cyber-threats, and it is certainly the wrong policy. All through the Cold War, and even now, the United States had early-warning satellites that used infrared sensors to pinpoint where nuclear-tipped missiles may have come from, thus fulfilling the critical attribution criterion on which deterrence hinges. Nothing remotely equivalent exists in cyberspace. Another critical difference is the involvement of subnational groups. During the Cold War, if U.S. sensors indicated that missiles were coming from the Soviet Union, we had no doubt they were launched by the Soviet government. The same is not true of cyberattacks, which a group of teenagers in Russia could launch without the permission of their parents, let alone the government. Massive attacks can be carried out with cheap technology available to individuals. It’s as if all citizens worldwide had easy access to squadrons of stealth fighters.
Openly threatening U.S. military responses to cyberattacks may just encourage hackers trying to cause mischief — or subnational groups hoping to cause far worse. There are a number of dissident and terrorist groups in China — not to mention extremist anti-government militias in the United States — who would be happy to try to lead the United States into war with China. Even if we assume that they would not be able to trigger a nuclear response, it makes no sense to create incentives for them to do so by carrying out repeated malicious and severe cyberattacks against the United States. At best, threatening nuclear reprisal just legitimizes another use for nuclear weapons at a time when the United States is trying to reduce its reliance on them and ought to be setting a positive example.
The fundamental reason that deterrence does not translate well into the cyber realm is that true attribution is difficult in cyberspace. Even though cyber-sleuths can now trace attacks much better than even just a few years ago, it still is not good enough to determine exactly who carried out the attack and who may have sponsored it. Groups, whether state-sponsored or subnational, could also physically move overseas to launch attacks and thus reliably mislead attribution efforts. A group of Chinese hanging out in Paris for the summer would probably not attract much attention. Or they could hire hackers in a third country. One of the earliest documented hacking incidents, in 1986, was the "Cuckoo’s Egg" intrusion into about 400 U.S. military computer systems — to try to access documents on the Strategic Defense Initiative and nuclear bombs. After some first-rate sleuthing, the hacker was identified as a West German, Markus Hess, who was a paid recruit of the Soviet KGB.
But deterrence theory is not entirely useless in cyberspace. After all, you can deter an attacker not only by threatening to punish him in retaliation, but also by denying him any significant benefit from the attack. By making its systems highly resilient and instituting secure redundancies, the United States could make it seem futile for adversaries to attempt disrupting our computer systems.
The government is already taking steps to require stricter standards in designing more secure operating systems. Last month, President Obama signed an executive order and issued an accompanying presidential policy directive (PPD-21) that calls for a voluntary public-private approach to address cyber-threats to critical infrastructure. The measures appear to be a mixed bag: They encourage government agencies to share unclassified threat information with critical infrastructure operators, which is eminently sensible, but they also aim to impose mandatory regulations down the road, which may not be flexible enough to deal with rapidly mutating cyber-threats. The soundest solutions will likely come from innovation rather than legislation. One promising avenue for improving cybersecurity seems to be by migrating processing and data to a secure "cloud." Just as most of us place our money in a bank and not under the mattress, the future of secure computing might be in deterring cyberattacks by holding a small encrypted share in a massive cloud.
There is also a growing realization that some norms or rules for cybersecurity are a good idea. For example, this week, NATO’s Co-operative Cyber Defense Center of Excellence released rules governing the conduct of cyberattacks by its members. Until recently, the United States was wary of negotiating rules of the road for cyberspace, essentially claiming that the laws of war sufficed. But following a series of well-publicized cyberattacks against the United States, the Obama administration now favors establishing ground rules for cyberspace, going so far as berating China for not abiding by (largely non-existent) international cyber norms. That won’t be easy — the United States would like to focus on cyber-espionage, while Russia and China want any rules to leave them free to censor the Internet — but it is an essential step.
There should be no illusion that the cybersecurity problem is ever going to be solved entirely: The Internet is attractive because it is open, and being open is fundamentally at odds with being secure. We simply cannot legislate our way out of this problem. Like the war on drugs, it will continue. The real-world Raoul Silvas of the world will continue to cause cyber-havoc. We can respond by making our systems more resilient, improve our attribution abilities, and, to the extent possible, cooperate with other nations in smoking out the Silvas worldwide. But one thing we surely don’t need in cyberspace is nukes: It’s dangerous enough as it is.